According to the alert, APT nation state groups and cybercriminals are actively exploiting this vulnerability to compromise the networks of organisations within the United Kingdom.
Earlier this year, in June MobileIron, a provider of mobile device management (MDM) systems, released security updates to address several vulnerabilities in their products. This included CVE-2020-15505, a remote code execution vulnerability, rated critical. MDM systems allow system administrators to manage an organization’s mobile devices from a central server, making them a valuable target for threat actors.
The NCSC is aware that Advanced Persistent Threat (APT) nation-state groups and cybercriminals are now actively attempting to exploit this vulnerability [T1190] to compromise the networks of UK organizations.
The Cybersecurity and Infrastructure Agency (CISA) in the US has also noted that APTs are exploiting this vulnerability in combination with the Netlogon/Zerologon vulnerability CVE-2020-1472 in a single intrusion.
This critical vulnerability affects MobileIron Core and Connector products and could allow a remote attacker to execute arbitrary code on a system. The MobileIron website lists the following versions as affected:
- 10.3.0.3 and earlier
- 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0
- Sentry versions 9.7.2 and earlier
- Monitor and Reporting Database (RDB) version 126.96.36.199 and earlier
A proof of concept exploit became available in September 2020 and since then both hostile state actors and cyber criminals have attempted to exploit this vulnerability in the UK. These actors typically scan victim networks to identify vulnerabilities, including CVE-2020-15505, to be used during targeting (T1505.002). In some cases, when the latest updates are not installed, they have successfully compromised systems. The healthcare, local government, logistics and legal sectors have all been targeted but others could also be affected.
Tom Davison, Technical Director – International at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, notes, “The interesting story here is the assertion by cybersecurity agencies in the UK (NCSC) and the US (NSA) that nation state APT groups are actively exploiting these vulnerabilities, five full months after patches were issued. Mobile Device Management servers are by definition reachable from the public internet making them opportune targets. Offering a gateway to potentially compromise every mobile device in the organization, the attraction to attackers is clear. This highlights not just the importance of patching open vulnerabilities, but also the criticality of having a dedicated mobile security capability that is distinct from device management infrastructure.”
The NCSC strongly advises that organisations refer to the MobileIron guidance referenced in this alert and ensure the necessary updates are installed in affected versions. Organisations should also keep informed of any future updates to the guidance from MobileIron.
The NCSC generally recommends following vendor best practice advice in the mitigation of vulnerabilities. In the case of this MobileIron vulnerability, the most important aspect is to install the latest updates as soon as practicable.
Additionally the NCSC advices organisations to follow the NCSC guidance in the mitigation section at the end of this alert. UK organisations should report any compromises to the NCSC via the website.
For more information, please refer to the NCSC alert that we have linked multiple times.
WHY on earth are Organisations neglecting Updates/Patches to software etc?
Let’s put it into perspective. MobileIron released Security updates in June 2020 for the above vulnerability plus other issues. The public POC (Proof Of Concept) surfaced September 2020. We’re now just about into December, and yet Organisations are allegedly being exploited with this vulnerability.
The end goal will inevitably be Ransomware, or Data breach, and to be completely frank, Organisations at this point, have nobody else to blame but themselves.
Deploying patches updates should be done regularly, weekly at the very least, quite clearly that’s not what is happening.
We’ll leave it at that, for now.