About a month ago, information was released about three serious vulnerabilities in a server used to manage mobile devices. Now, many hacking groups have begun exploiting these bugs to gain access to and control of corporate servers, which will allow them to gain access and in company networks.
According to the researchers, the target of these attacks are MDM servers from the software maker MobileIron.
The initials MDM come from the words "Mobile Device Management". The systems MDMs are often used in business as they allow the management of employees' mobile devices. System administrators can develop certificates, applications, access control lists, and delete stolen phones from a central server.
To enable the above actions, MDM servers must be constantly connected to the Internet. Thus, the telephones of employees who work remotely, can "report" to the company and receive the latest updates.
MobileIron MDMs: Three major vulnerabilities were discovered
In the summer, a security researcher by the name Orange Tsai discovered three major vulnerabilities in MobileIron's MDM servers. The researcher reported the errors in company and she corrected them in July.
However, Tsai decided not to give information about the vulnerabilities, so that they have time Companies to protect their systems.
Many companies do not seem to have done so. Tsai finally spoke in September about the three vulnerabilities, after using one of them to break into Facebook's MDM server and roam the company's internal network. This, of course, was part of his bug bounty program Facebook.
Released POC at Github
Some security researchers have used the details provided by Tsai to create them in public proof-of-concept (PoC) exploits for CVE-2020-15505, the most dangerous of the three vulnerabilities.
This PoC exploit was released on GitHub and made available to other security researchers and penetration testers. However, it was also found in the hands of criminals.
The first wave of attacks took place in early October and was detected by its investigators RiskIQ.
RiskIQ did not provide much information about these attacks, but a report from BlackArrow, published on October 13, reports efforts of one hacker to invade MobileIron MDM systems and install Kaiten DDoS malware.
Companies, however, are not the only ones at risk from this malware. THE US National Security Agency (NSA) registered MobileIron CVE-2020-15505 as one of the top 25 vulnerabilities, exploited by its state hackers China the last months.
The NSA said that the Chinese hackers use the MobileIron error, along with other vulnerabilities, to initially compromise systems (connected to the Internet) and gain access to internal networks.
Companies must inform them immediately MDM servers
MobileIron says it has more than 20.000 customers using MDM solutions, including many Fortune 500 companies. Therefore, this vulnerability is indeed one of the most dangerous bugs in recent months.
If companies do not update their MobileIron MDM servers, they may face difficult situations.
But, according to ZDNet, patching is just one part of the job that needs to be done. Companies must also perform checks on their MobileIron MDM servers, mobile devices and internal networks. Vulnerability CVE-2020-15505 can be considered a "gateway bug". After exploitation, intruders can use this error to take control of the entire MDM server and to develop malware on mobile devices connected to it. They can also acquire access to the interior network the company's, to which the MDM server may be connected.