Threat actors are exploiting ServiceNow vulnerabilities using publicly available exploits to breach government agencies and private firms in data theft attacks.
Incident Overview
Resecurity, after monitoring the malicious activity for a week, identified multiple victims, including government agencies, data centers, energy providers, and software development firms. Despite the vendor releasing security updates on July 10, 2024, tens of thousands of systems potentially remain vulnerable.
Exploitation Details
ServiceNow is a cloud-based platform that helps organizations manage digital workflows for enterprise operations. It is widely adopted across various industries, including the public sector, healthcare, financial institutions, and large enterprises. FOFA internet scans show nearly 300,000 internet-exposed instances, reflecting the platform's popularity.
On July 10, 2024, ServiceNow released hotfixes for CVE-2024-4879, a critical input validation flaw (CVSS score: 9.3) that allows unauthenticated users to perform remote code execution on multiple versions of the Now Platform. The next day, on July 11, Assetnote researchers who discovered the flaw published a detailed write-up about CVE-2024-4879 and two additional flaws (CVE-2024-5178 and CVE-2024-5217) in ServiceNow that can be chained together for full database access.
Following the publication, GitHub was flooded with working exploits and bulk network scanners for CVE-2024-4879, which threat actors quickly leveraged to find vulnerable instances. Resecurity reports that ongoing exploitation involves a payload injection to check for specific results in the server response, followed by a second-stage payload that examines the database contents. If successful, the attacker can dump user lists and account credentials. While most of these credentials are hashed, some instances exposed plaintext credentials.
Resecurity has observed elevated chatter about the ServiceNow flaws on underground forums, especially among users seeking access to IT service desks and corporate portals, indicating high interest from the cybercrime community.
Mitigation Steps
ServiceNow has issued fixes for all three vulnerabilities in separate bulletins for CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217. Users are strongly recommended to review the advisories and ensure that patches are applied to all instances as soon as possible to prevent exploitation.
To protect against these vulnerabilities, organizations should:
1. Apply the latest patches and hotfixes provided by ServiceNow.
2. Monitor their systems for unusual activity and potential exploitation attempts.
3. Use multi-factor authentication to enhance security.
4. Regularly review and update security protocols to ensure robust protection against emerging threats.
