Governance & Risk Management , IT Risk Management , Next-Generation Technologies & Secure Development

Hackers Exploit MobileIron Flaw

NCSC: Nation-State Hackers, Others Leveraging Remote Code Execution Bug
Hackers Exploit MobileIron Flaw

The U.K. National Cyber Security Center is warning that nation-state actors and cybercriminals are exploiting a remote vulnerability in MobileIron's mobile device management tool to target organizations in the country.

See Also: August Spotlight | Automated Threat Intelligence Correlation

A remote code vulnerability tracked as CVE-2020-15505 affects certain versions of the company's Core and Connector administrative portals, the NCSC alert notes. If exploited, an attacker can run arbitrary code and gain access to a targeted organization's network.

The company released a patch for the vulnerability in June, according to NCSC - the public-facing arm of U.K. intelligence service GCHQ, which stresses the urgency of applying the patch. In a blog post, MobileIron notes that beween 90% and 95% of its customers have applied the fix.

"These actors typically scan victim networks to identify vulnerabilities, including CVE-2020-15505, to be used during targeting," the NCSC states. "In some cases, when the latest updates are not installed, they have successfully compromised systems. The healthcare, local government, logistics and legal sectors have all been targeted, but others could also be affected."

In October, the U.S. Cybersecurity and Infrastructure Security Agency warned that hacking groups were chaining together vulnerabilities, including the MobileIron flaw and the Zerologon bug in Windows Server, to target local government networks (see: Hackers Chaining 'Zerologon,' Other Vulnerabilities)

The Discovery

In September, security researcher Orange Tsai, who first spotted the MobileIron vulnerability, claimed that he could hack Facebook accounts using the vulnerability.

The researcher posted a blog with proof-of-concept details about exploiting the vulnerability. Other hackers then began to perform web injection attacks to install Kaiten - distributed-denial-of-service malware - according to security researchers at Black Arrow.

In October, the U.S. National Security Agency warned that Chinese-linked hacking groups were exploiting the MobileIron bug along with 24 other vulnerabilities as part of several cyberespionage campaigns designed to steal sensitive intellectual property as well as economic, political and military data (see: NSA: Chinese Hackers Exploiting 25 Vulnerabilities).

The NSA warned that Chinese hackers targeted the U.S. Defense Department as well as America's national security systems and the defense industry, using these vulnerabilities as launching pads into networks. The NSA also noted that many of these vulnerabilities were found in remote access or web service tools that are easily accessible from the internet.

Kevin Beaumont, senior threat intelligence analyst at Microsoft Threat Intelligence, said on Twitter that the MobileIron vulnerability has also been exploited by ransomware gangs.


In addition to applying the patch from MobileIron, NCSC says organizations should take other risk mitigation steps, including:

  • Detecting and preventing lateral movement in networks and deploying a host-based intrusion detection system;
  • Setting up a security monitoring capability for collecting data that will be needed to analyze network intrusions;
  • Restricting intruders' ability to move freely across systems and networks;
  • Paying close attention to potentially vulnerable entry points, such as third-party systems with access to core network assets.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.