A month after details were published about three severe vulnerabilities in a type of server used to manage fleets of mobile devices, multiple threat actors are now exploiting these bugs to take over crucial enterprise servers and even orchestrate intrusions inside company networks.

The targets of these attacks are MDM servers from software maker MobileIron.

MDM stands for Mobile Device Management. MDM systems are used inside enterprises to allow companies to manage employees’ mobile devices, by allowing system administrators to deploy certificates, apps, access-control lists, and wipe stolen phones from a central server.

In order to enforce these features, MDM servers need to be online all the time and reachable over the internet, so remote employees’ phones can report back to the company and get the latest updates.



Earlier this summer, a security researcher named Orange Tsai discovered three major vulnerabilities in MobileIron’s MDM solutions, which he reported to the vendor, and which the company patched in July.


But Tsai never released in-depth details about any of the three bugs, allowing companies to update their systems.

However, many did not. Tsai eventually published a detailed write-up about the three bugs in September, after he used one of the bugs to hack into Facebook’s MDM server and pivot to the company’s internal network as part of Facebook’s bug bounty program.


But Tsai’s blog post also had some unintended consequences. Other security researchers used the details in his blog to create public proof-of-concept (PoC) exploits for CVE-2020-15505, the most dangerous of the three bugs that Tsai discovered over the summer.

This PoC exploit was later released on GitHub and made available to other security researchers and penetration testers, but also to attackers.

And just like all the times before when someone released a PoC for a dangerous bug on GitHub, attacks followed within days.

The first wave took place at the start of October and was detected by RiskIQ researchers.

Not that much is known about these attacks, as RiskIQ never went into details, but a report from BlackArrow, published on October 13, breaks down a threat actor’s attempts to hack into MobileIron MDM systems and install the Kaiten DDoS malware.

But if companies thought that getting their MDM server infected with DDoS malware was the worst thing that could happen, they thought wrong.

Today, the US National Security Agency (NSA) listed the MobileIron CVE-2020-15505 as one of the top 25 vulnerabilities exploited by Chinese state-sponsored hackers in recent months.

The NSA said Chinese threat actors have been using the MobileIron bug, along with many others, to gain an initial foothold on internet-connected systems, and then pivot to internal networks.


With MobileIron boasting that more than 20,000 companies use its MDM solutions, including many Fortune 500 companies, this vulnerability is shaping to be one of the most dangerous security flaws disclosed this year.

With such a huge installbase, MobileIron MDM servers are likely to remain under attack for the foreseeable future.

But at this point in time, patching is only half of the job. Companies must also perform security audits of their MobileIron MDM servers, their mobile devices, and internal networks.

This is because CVE-2020-15505 can be considered a gateway bug. Once exploited, intruders can use this bug to take over the entire MDM server and then deploy malware on mobile devices connected to the MDM server or access the company’s internal network, to which the MDM server is likely to be connected.


The information contained in this website is for general information purposes only. The information is gathered from ZDnet, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Cisco today warned of attacks actively targeting the CVE-2020-3118 high severity vulnerability found to affect multiple carrier-grade routers that run the company’s Cisco IOS XR Software.

The IOS XR Network OS is deployed on several Cisco router platforms including NCS 540 & 560, NCS 5500, 8000, and ASR 9000 series routers.

The vulnerability impacts third-party white box routers and the following Cisco products if they run vulnerable Cisco IOS XR Software versions, and have the Cisco Discovery Protocol enabled both on at least one interface and globally:

Read more »

GravityRAT, a malware strain known for checking the CPU temperature of Windows computers to detect virtual machines or sandboxes, is now multi-platform spyware as it can now also be used to infect Android and macOS devices.

The GravityRAT Remote Access Trojan (RAT) has been under active development by what looks like Pakistani hacker groups since at least 2015 and has been deployed in targeted attacks against Indian military organizations.

Read more »

Discord has patched a critical issue in the desktop version of the messaging app which left users vulnerable to remote code execution (RCE) attacks.

Bug bounty hunter Masato Kinugawa developed an exploit chain leading to RCE several months ago and published a blog post over the weekend describing the technical details of the method, which combines multiple bugs.

The first security issue was found in Electron, the software framework used by the Discord desktop app. While the desktop app is not open source, the JavaScript code utilized by Electron — an open source project for creating cross-platform apps able to harness JavaScript, HTML, and CSS — was saved locally and could be extracted and examined. Read more »

A critical stack-based Buffer Overflow vulnerability has been discovered in SonicWall VPNs. When exploited, it allows unauthenticated remote attackers to execute arbitrary code on the impacted devices.

Tracked as CVE-2020-5135, the vulnerability impacts multiple versions of SonicOS ran by hundreds of thousands of active VPNs.

Craig Young of Tripwire Vulnerability and Exposure Research Team (VERT) and Nikita Abramov of Positive Technologies have been credited with discovering and reporting the vulnerability.

Read more »