Heimdal
article featured image

Contents:

Threat actors are exploiting publicly known exploits to chain together ServiceNow flaws in order to infiltrate government organizations and commercial companies in data theft campaigns.

Security researchers monitored the malicious activity and identified multiple victims, including government agencies, data centres, energy providers, and even software development firms.

Even though the company fixed the vulnerabilities with security upgrades on July 10, 2024, tens of thousands of systems can still be open to intrusions.

ServiceNow is a widely adopted cloud-based platform that helps organizations manage digital workflows for enterprise operations. It is used by companies across various industries, including public sector organizations, healthcare, financial institutions, and large enterprises.

Details About the Exploitation

Hotfixes for CVE-2024-4879, a major (CVSS score: 9.3) input validation hole that allows unauthorised users to execute code remotely on various Now Platform versions, were made available by ServiceNow on July 10, 2024.

The following day, July 11, researchers who had found the issue released a comprehensive report regarding two more ServiceNow vulnerabilities (CVE-2024-5178 and CVE-2024-5217) that can be chained for complete database access in addition to CVE-2024-4879.

Threat actors almost instantly used the abundance of working exploits that quickly flooded GitHub, based on the write-up and mass network scanners for CVE-2024-4879, to identify susceptible instances.

The operation uses a payload injection to check for a specific result in the server response, followed by a second-stage payload that checks the database contents.

The attacker dumps user lists and account credentials if they are successful. Although most of them were hashed, there were some breach instances that exposed plaintext credentials.

Due to the large number of clients and general buzz on underground forums about ServiceNow flaws, there is a high interest from the cybercrime community to exploit the vulnerabilities.

All three vulnerabilities were fixed by ServiceNow earlier this month with distinct bulletins for CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217.

It is advised that users verify that they have applied the patch on all instances, or as soon as possible if they haven’t, by looking up the patched version listed on the advisories.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE