NCSC: Nation-State Hackers, Others Leveraging Remote Code Execution Bug
The U.K. National Cyber Security Center is warning that nation-state actors and cybercriminals are exploiting a remote vulnerability in MobileIron’s mobile device management tool to target organizations in the country.
A remote code vulnerability tracked as CVE-2020-15505 affects certain versions of the company’s Core and Connector administrative portals, the NCSC alert notes. If exploited, an attacker can run arbitrary code and gain access to a targeted organization’s network.
The company released a patch for the vulnerability in June, according to NCSC – the public-facing arm of U.K. intelligence service GCHQ, which stresses the urgency of applying the patch. In a blog post, MobileIron notes that beween 90% and 95% of its customers have applied the fix.
“These actors typically scan victim networks to identify vulnerabilities, including CVE-2020-15505, to be used during targeting,” the NCSC states. “In some cases, when the latest updates are not installed, they have successfully compromised systems. The healthcare, local government, logistics and legal sectors have all been targeted, but others could also be affected.”
In October, the U.S. Cybersecurity and Infrastructure Security Agency warned that hacking groups were chaining together vulnerabilities, including the MobileIron flaw and the Zerologon bug in Windows Server, to target local government networks (see: Hackers Chaining ‘Zerologon,’ Other Vulnerabilities)
In September, security researcher Orange Tsai, who first spotted the MobileIron vulnerability, claimed that he could hack Facebook accounts using the vulnerability.
The researcher posted a blog with proof-of-concept details about exploiting the vulnerability. Other hackers then began to perform web injection attacks to install Kaiten – distributed-denial-of-service malware – according to security researchers at Black Arrow.
In October, the U.S. National Security Agency warned that Chinese-linked hacking groups were exploiting the MobileIron bug along with 24 other vulnerabilities as part of several cyberespionage campaigns designed to steal sensitive intellectual property as well as economic, political and military data (see: NSA: Chinese Hackers Exploiting 25 Vulnerabilities).
The NSA warned that Chinese hackers targeted the U.S. Defense Department as well as America’s national security systems and the defense industry, using these vulnerabilities as launching pads into networks. The NSA also noted that many of these vulnerabilities were found in remote access or web service tools that are easily accessible from the internet.
Kevin Beaumont, senior threat intelligence analyst at Microsoft Threat Intelligence, said on Twitter that the MobileIron vulnerability has also been exploited by ransomware gangs.
Yeah the MobileIron one is hot, somebody published an exploit and now the ransomware peeps are walking in to orgs. https://t.co/Y1hc2yNujZ
— Kevin Beaumont (@GossiTheDog) October 10, 2020
In addition to applying the patch from MobileIron, NCSC says organizations should take other risk mitigation steps, including:
- Detecting and preventing lateral movement in networks and deploying a host-based intrusion detection system;
- Setting up a security monitoring capability for collecting data that will be needed to analyze network intrusions;
- Restricting intruders’ ability to move freely across systems and networks;
- Paying close attention to potentially vulnerable entry points, such as third-party systems with access to core network assets.