Hackers are targeting unpatched ServiceNow instances that exploit 3 separate year-old vulnerabilities

Image Credit: Pixabay (Image credit: Pixabay)

ServiceNow fixed three flaws in May 2024, but researchers from GreyNoise saw a resurgence of abuse
The flaws can be used for full database access
Users should patch immediately to make sure they are protected

There has been a “notable resurgence” in the abuse of three concerning ServiceNow security vulnerabilities, experts are warning.

In May 2024, security researchers from Assetnote found vulnerabilities, tracked as CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217, which ServiceNow patched the same day.

However, it seems that many organizations did not get the memo (which was released in July the same year, when CVEs were released as part of a coordinated effort with Assetnote), since their instances remained unpatched, and have now become a target, according to researchers from GreyNoise.

Chaining the bugs

The researchers found there has been a significant uptick in the attacks abusing these flaws, and although they couldn’t attribute the attacks to any known threat actors, they did note that almost three-quarters (70%) of the attacks targeted Israeli firms. Notable activity was also spotted in Germany, Japan, and Lithuania.

The vulnerabilities can be abused separately, but when they’re chained, they grant “full database access,” GreyNoise added, which puts vulnerable organizations at immense risk, since ServiceNow is used to handle sensitive employee information.

The attackers would inject a payload which checks for a specific result in the server response. If it gets the appropriate one, it deploys a second-stage payload that checks the contents of the database.

The last step is to dump user lists and account credentials. While most of the time the credentials are hashed, there are some examples where the credentials were dumped in plaintext.

That can lead to account compromise which, in turn, can carry devastating consequences, such as ransomware attacks.

ServiceNow is a cloud-based platform that provides enterprise IT service management (ITSM) and automation solutions.

It helps organizations streamline workflows, automate business processes, and improve efficiency across IT, HR, customer service, security, and other departments.

ServiceNow has almost 300,000 internet-exposed instances, making it quite a popular solution.

Some of its clients include Coca-Cola (uses it for streamlining IT service management), Dell (IT service automation and management), Deloitte (IT service automation and optimization), and the State of California ( managing state-wide IT services and operations).

Via TechCrunch

Several ServiceNow flaws are reportedly being linked together to attack companies and organizations
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.