Exploitation of Critical ServiceNow Flaws for Data Theft: A Rising Concern

July 25, 2024

Cybercriminals are exploiting critical Remote Code Execution (RCE) flaws in ServiceNow, a widely used cloud-based platform, to steal credentials. This malicious activity has been observed and reported by Resecurity, a cybersecurity firm. Over the course of a week, Resecurity identified several victims of these attacks, including government bodies, data centers, energy providers, and software development companies.

Despite the fact that ServiceNow released security patches for these vulnerabilities on July 10, 2024, a large number of systems potentially remain exposed to cyberattacks. ServiceNow's platform is extensively used across various sectors, including public organizations, healthcare, financial institutions, and large corporations, making it a prime target for threat actors.

On July 10, 2024, ServiceNow issued hotfixes for CVE-2024-4879, a critical input validation flaw that allows unauthenticated users to execute remote code on various versions of the Now Platform. The researchers at Assetnote, who discovered the flaw, published a comprehensive report about CVE-2024-4879 and two additional ServiceNow vulnerabilities (CVE-2024-5178 and CVE-2024-5217) on July 11. These vulnerabilities could be exploited in conjunction to gain complete access to the database.

Following the publication of this report, GitHub saw a surge in working exploits based on the Assetnote write-up. Threat actors quickly leveraged these exploits to identify vulnerable instances, according to Resecurity. The current exploitation pattern observed by Resecurity involves a two-stage payload injection process: checking for a specific result in the server's response, followed by checking the database contents. If successful, the attacker extracts user lists and account credentials.

Resecurity reports that in most instances, these credentials were hashed. However, in some instances, plaintext credentials were exposed. Resecurity has also observed an increase in discussions regarding the ServiceNow vulnerabilities on underground forums, particularly from users interested in gaining access to IT service desks and corporate portals. This suggests a high level of interest from the cybercrime community.

ServiceNow has released fixes for all three vulnerabilities earlier this month in separate bulletins for CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217. Users are urged to verify the fixed version indicated on the advisories and ensure they have applied the patch on all instances. If they have not done so, they should do it as soon as possible.

Latest News

• Critical Remote Code Execution Vulnerability in Telerik Report Server: Urgent Patch Required
• Critical Docker Engine Vulnerability Bypasses Authorization Plugins
• Critical Authentication Bypass Flaw Addressed in Docker
• Cybercriminals Continue Exploiting Microsoft SmartScreen Vulnerability in Global Infostealing Campaigns
• Chinese APT Group Daggerfly Enhances Its Malware Arsenal