Posted on October 21, 2020 at 11:30 AM
A security researcher discovered three major bugs in MobileIron’s MDM servers, and while the patches are out, a lot of firms did not apply them, which made them vulnerable to hacking attacks.
About a month ago, a security researcher known as Orange Tsai uncovered three crucial bugs in Mobile Device Management (MDM) servers created by MobileIron. Now, the servers are being heavily targeted by DDoS attacks from multiple threat actors who are exploiting the vulnerabilities to take over enterprise servers and even break into company networks.
The servers in question are used by enterprises to manage their workers’ mobile devices. System administrators have access to a number of functions, such as deploying apps and certificates as well as access-control lists. However, they also have the ability to wipe the phones from the central server, in case it gets stolen.
Unfortunately, in order for the servers to be able to provide these options, they need to constantly be connected to the internet. This also makes them constantly available for hackers who might conduct attacks.
The three bugs
As mentioned, earlier this year, during the summer, a security researcher discovered three bugs in MDM servers. After the bugs were reported to MobileIron, the company quickly patched them back in July.
Tsai also didn’t release details about the three bugs at the time, nor steps that bad actors could take to gain access to the servers. He wanted to give companies using the servers to update their systems and protect their networks and employee devices.
Unfortunately, as it is often the case — many of the MDM users failed to do so.
After assessing that enough time has passed, Tsai did publish a more detailed version of his report, which took place in September. However, the report had some unintended consequences — other researchers used his report to create PoC exploits for the most dangerous of the three bugs, and they made them public.
It was not long before companies started feeling the consequences
The intention of security researchers who created the proof-of-concept exploits and published them on GitHub was to make it easier for other researchers to conduct tests.
However, since many of the companies failed to update their systems. it wasn’t long before the hackers started using them also, to conduct real attacks. Within days, the attacks started targeting major corporations, with the first wave of the attacks arriving in early October.
These first attacks were detected by security researchers at RiskIQ. Unfortunately, little is known about them, as the company did not release a lot of details.
There were other reports, however, such as the one published a week ago, on October 13th, by BlackArrow. This report released details about attempts to break into MobileIron’s MDM systems, and install a DDoS malware known as Kaiten.
Unfortunately, it did not end there. Earlier today, the United States’ National Security Agency (NSA) announced to the world that the flaw known as CVE-2020-15505 — the most dangerous of the three flaws discovered by Tsai — is among the top 25 flaws ever exploited by Chinese state-backed hackers.
In other words, it appears that Chinese state-sponsored hacking gangs have been using this bug (alongside others) to hack into all kinds of internet-connected systems. By ensuring a foothold in such systems, they would then launch an attack on companies’ internal networks.
The most dangerous bug of the year
With all that has been going on regarding the situation, it is imperative for any company that uses MobileIron’s MDM solutions to immediately patch them. Not doing so is leaving them open for hacking attacks that could cause massive complications.
However, considering the fact that there are over 20,000 firms that use MDM, there are likely going to remain plenty of firms that will fail to heed the warning once again.
As a result, CVE-2020-15505 might be one of the most dangerous vulnerabilities of the year, if not THE most dangerous one.
However, researchers warn that even patching is only half of the job that needs to be done for the companies to protect themselves. The second half is performing security audits of MDM solutions, but also internal networks, and even mobile devices.
CVE-2020-15505 is only an entry, and there is no telling whether or not hackers used it to enter into the companies’ systems without triggering an alarm, only to leave something behind and then withdraw. In other words, anyone who failed to apply the patch back when it was first released is now in danger, and has a lot of internal cleaning up to do.