MDM Compromise and Cerberus Malware Attack

So, what’s been trending in the cybersecurity realm that has security architects mashing their keyboards and keeping CISOs awake at night lately? Have you heard of the new Malware-as-a-Service business model employed by the Cerberus remote access Trojan for Android devices? The new twist is that recently, a compromised corporate mobile device management (MDM) system was used to deliver apps containing malicious exploits to infect 75% of all managed Android devices, according to Check Point Software’s recent security research article.

The research article doesn’t state specifically how the MDM system was compromised other than a multinational conglomerate was targeted in the attack. Any number of threat vectors could have been used to attack the server externally if it resided on-premises or in a multi-tenant public cloud service. If a perimeter firewall and intrusion detection and prevention system were not in place or properly configured, then an external breach could occur.

If the server operating system and MDM system weren’t sufficiently hardened, and the attached network wasn’t routinely penetration tested by both the company’s Red Team and the MDM vendor’s security engineering team, then common web vulnerabilities could have been used to exploit the server and take control of the MDM system. Exploits like SQL injections, cross-site scripting (XSS) and/or cross-site request forgery (XSRF) attacks, directory traversal, broken authentication and session management, just to start.

We speculate that the most likely scenario is the attack came from inside the company and was executed by a disgruntled employee. Or the corporate network was breached externally by state-sponsored threat actors using advanced persistent threats (APT) since a multinational conglomerate was reportedly targeted.

In the research article, it states that once the server was compromised, two malicious apps were configured within the MDM system to silently install onto managed Android devices.

The malicious exploit starts with the user being bombarded constantly with a fake message to update the Accessibility Service on the device. Once the user accepts the update, the exploit is granted an elevation of privileges (EoP) to the Accessibility Service, which then is the launching pad for all the really bad things that are itemized below to start happening on the managed device.

The exploit begins by installing the command-and-control listener on port 8888, and provides access to a Russian-based IP address. Once the command-and-control to the device was established from a remote mothership server, the threat actors executed the Mobile Remote Access Trojan (MRAT) spyware to harvest and steal credentials including two-factor authentication (2FA) from Google Authenticator. Cerberus’ long list of additional exploit capabilities is akin to a criminal’s rap sheet!

  • Take screenshots
  • Record audio
  • Record keystrokes
  • Send, receive, and delete SMS messages
  • Steal contact lists
  • Forward calls
  • Collect device information
  • Track device location
  • Steal account credentials
  • Disable Google Play Protect
  • Download additional apps and payloads
  • Remove apps from the infected device
  • Push notifications
  • Lock device's screen
  • Difficult to remove from the infected device

In order to take control back to managing and securing your managed corporate devices, and getting a good night’s sleep again, our security recommendations are as follows:

  1. Harden the operating system and apps for your server.
  2. Physically and virtually lockdown the network and data center where your MDM system resides.
  3. Frequently penetration test your apps and network.
  4. Limit the number of MDM administrator roles granted. Assign the least privilege to other roles.
  5. Audit trail log all system access and configuration changes made. The syslog server should be hosted external to the MDM system.
  6. Don't use passwords or PINs for authentication.
  7. Employ strong multi-factor authentication (MFA) to all your servers, clients, apps, and network access.
  8. Distribute managed and approved apps using the Managed Google Play Store for Android devices, and Apple Business Manager for iOS and iPadOS devices.
  9. Use a mobile threat defense product like MobileIron Threat Defense with MobileIron UEM. MTD’s on-device machine learning detection engine that is bundled with our UEM client would detect the malicious exploits living inside the managed apps as soon as they were installed onto the mobile device. MTD is automatically activated during enrollment and registration to MobileIron UEM.

MobileIron also partners with Check Point for their Sandblast Mobile product for mobile threat prevention. The referenced security research article states that their solution would have detected the malware also.

James Saturnio

James Saturnio

Senior Lead Technical Market Adviser at MobileIron

About the author

James Saturnio is a Senior Lead Technical Market Adviser at MobileIron. He immerses himself in all things cybersecurity and has over 25 years’ experience in this field. He has been with MobileIron for over 6 years, and previously worked at Cisco Systems for 19 years. While at Cisco, he worked as a TAC Engineer, and then as a Technical Leader for the Security Technology and Internet of Things (IoT) business units. He was the main architect for the IoT security framework that is still being used today by Cisco’s IoT customers.

Rich Festante

Technical Marketing Engineer at MobileIron