Threat Actor: Unknown | unknown
Victim: ServiceNow Users | ServiceNow Users
Price: N/A
Exfiltrated Data Type: Database credentials, usernames, and metadata
Key Points :
- Three critical vulnerabilities (CVE-2024-4879, CVE-2024-5217, CVE-2024-5178) disclosed by ServiceNow allow unauthenticated remote code execution.
- Active exploitation attempts detected, primarily targeting finance and government sectors.
- Approximately 42,000 exposed instances are vulnerable, with over 6,000 sites actively exploited.
- Attackers used a proof-of-concept to exploit vulnerabilities, accessing sensitive ServiceNow data.
- Weak patch management and outdated systems contributed to the severity of the exploitation.
- Initial Access Brokers are monetizing stolen credentials from compromised ServiceNow instances.
ServiceNow recently disclosed three critical vulnerabilities (CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178) affecting multiple Now Platform versions, allowing unauthenticated remote code execution and unauthorized file access.
The vulnerabilities, with CVSS scores ranging from 6.9 to 9.3, pose significant risks of data theft, system compromise, and operational disruption.
Active exploitation attempts by foreign threat actors targeting both private and public sector organizations were detected and mitigated, highlighting the severity of the issue.
Numbering approximately 300,000 globally and primarily concentrated in the US, UK, India, and EU, they represent a significant target for potential remote probing.
While access restrictions vary, their widespread adoption in enterprise environments confirms ServiceNow as a prevalent platform for digital workflow management.
Additional search engine data indicates between 13,300 and 23,000 network hosts as potential targets, emphasizing the broad attack surface available to adversaries for network mapping and reconnaissance.
Adversaries exploit vulnerabilities in popular applications before patches are released, targeting enterprises identified through search engine scans, which utilize proprietary bots and tools to gather information about web servers, applications, and network devices, creating valuable intelligence for attackers.
Three critical ServiceNow vulnerabilities enabled unauthenticated remote code execution on nearly 42,000 exposed instances.
While patches exist, active exploitation attempts targeting over 6,000 sites, predominantly in finance, have been observed.
Attackers leverage these vulnerabilities to test for remote code execution and exfiltrate database credentials.
Researchers have developed detection methods and automated tools to identify vulnerable systems, highlighting the critical need for prompt patching and robust security measures to prevent data breaches and unauthorized access.
Upon the public disclosure of vulnerability details, multiple threat actors initiated aggressive scanning campaigns to identify exploitable ServiceNow instances.
Leveraging a publicly released proof-of-concept as a catalyst, adversaries focused on exploiting CVE-2024-4879, a critical vulnerability enabling unauthenticated remote code execution.
By chaining title injection, template injection bypass, and filesystem filter bypass, attackers accessed ServiceNow data.
Network sensors found probing requests that were used to check for vulnerabilities before injecting payloads and validating responses with certain multiplication results, which show that an attempt to exploit the vulnerability was successful.
Attackers exploited a vulnerability in login.do to inject malicious code. The first payload retrieved the path to the database configuration file, potentially revealing database details.
The second payload queried the “sys_user” table and attempted to dump usernames and passwords. While most passwords were hashed and remained secure, leaked usernames and other metadata could aid attackers in further reconnaissance.
A recently disclosed vulnerability in a popular enterprise application was actively exploited within a week of its release, targeting diverse organizations globally.
Attackers successfully compromised energy, data centers, government, and software development entities, demonstrating the vulnerability’s widespread impact.
According to Resecurity, poor patch management and outdated systems exacerbated the issue. While the collected data suggests potential cyberespionage, timely patch releases mitigated further damage.
Threat actors are actively targeting enterprise applications like ServiceNow on the Dark Web, seeking compromised access to IT service desks and corporate portals.
Initial Access Brokers (IABs) capitalize on poor network hygiene by monetizing stolen credentials and harvesting data through infostealers.
Source: Original Post