The UK National Cyber Security Centre (NCSC) has issued an alert that confirms Advanced Persistent Threat (APT) groups and cybercriminals are currently exploiting the MobileIron remote code execution vulnerability, CVE-2020-1550 to compromise the networks of UK companies. Attacks have been conducted on local government, healthcare organizations, and companies in the logistics and legal sectors, and there have been several cases where the vulnerability has been successfully exploited to gain network access.
The flaw is present in MobileIron mobile device management (MDM) systems, which are used to remotely manage mobile devices and perform updates, install apps, and change the settings on mobile devices from a central location, usually via an admin console on a server. MDM servers are publicly accessible so they are an attractive target for hackers. The MobileIron vulnerability allows hackers to remotely execute commands on an MDM server without having to authenticate.
The flaw was discovered in March by Orange Tsai, who reported the vulnerability to MobileIron. A patch was released to correct the flaw in June 2020; however, many users of the vulnerable MDM system have been slow to apply the patch, even though a proof of concept exploit for the vulnerability was released on GitHub in September. State-sponsored APT groups have been exploiting the flaw since September to gain access to the networks of high-profile targets and cybercriminal groups have been conducting attacks on a wide range of companies.
NCSC is urging all users of vulnerable MobileIron versions to apply the patches immediately.
The vulnerable versions are:
- 3.0.3 and earlier
- 4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0
- Sentry versions 9.7.2 and earlier
- Monitor and Reporting Database (RDB) version 220.127.116.11 and earlier
The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has also issued an alert about the vulnerability, noting it is being exploited by Chinese APT actors in combination with the Netlogon/Zerologon vulnerability CVE-2020-1472