New Attacks Exploit Year-old Servicenow Flaws – Israel Hit Hardest

ServiceNow vulnerability alert: Hackers are actively exploiting year-old flaws (CVE-2024-4879, CVE-2024-5217, CVE-2024-5178) for database access. Learn really to protect your systems.

Security researchers astatine threat intelligence patient GreyNoise person issued a informing regarding a important summation successful malicious activity targeting 3 antecedently disclosed vulnerabilities wrong ServiceNow- a cloud-based level that helps organizations automate and negociate their integer workflows.

These vulnerabilities, identified arsenic CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178, were initially revealed by Assetnote’s information interrogator Adam Kues connected 14 May 2024 and promptly patched by ServiceNow nan aforesaid day.

Despite nan readiness of patches, GreyNoise has observed a “resurgence of in-the-wild activity” aimed astatine exploiting these flaws. This surge successful onslaught attempts has seen a important number of unsocial IP addresses involved, pinch activity detected wrong nan past 24 hours. Specifically, 36 threat IPs targeted CVE-2024-5178, while 48 threat IPs each targeted CVE-2024-4879 and CVE-2024-5217, according to GreyNoise’s blog post.

Geographically, nan mostly of observed malicious activity, exceeding 70% of sessions successful nan past week, has been directed astatine systems located successful Israel. However, targeted systems person besides been detected successful Lithuania, Japan, and Germany, pinch only Israel and Lithuania experiencing activity wrong nan astir caller 24-hour period. This geographical attraction suggests nan anticipation of a targeted campaign.

CVE-2024-4879 is simply a template injection vulnerability. For your information, template injection vulnerabilities hap erstwhile user-supplied input is inserted into a template motor without due sanitization. In nan discourse of ServiceNow, this could let attackers to inject malicious codification into templates utilized by nan platform. Successful exploitation could lead to distant codification execution, meaning attackers could summation power of nan server hosting nan ServiceNow instance.

CVE-2024-5217 and CVE-2024-5178 some impact input validation errors, which tin alteration attackers to manipulate information and bypass information controls. Input validation vulnerabilities originate erstwhile applications neglect to decently validate user-supplied input.

The vulnerabilities are peculiarly concerning because they tin beryllium chained together, arsenic initially noted by Assetnote and reaffirmed by GreyNoise, to summation “full database access” to affected ServiceNow instances. This poses a important consequence to organizations that trust connected ServiceNow to negociate delicate data, including worker accusation and HR records.

However, ServiceNow’s spokesperson shared nan company’s connection pinch Hackread.com, explaining that they person not observed immoderate customer effect from a coordinated onslaught run to date.

“Nearly a twelvemonth ago, ServiceNow learned of a vulnerability connected nan Now Platform impacting instances moving connected nan Vancouver and Washington, D.C. family releases. Immediately—starting, nan time we learned of it—we deployed a bid of updates and
fully addressed nan issue.”

“To-date, our investigations person not observed immoderate customer effect from immoderate attacks. We will proceed to show nan business to champion support our customers.”

Nevertheless, GreyNoise recommends that organizations utilizing ServiceNow return contiguous action to mitigate nan risk. This includes applying nan latest information patches, restricting entree to guidance interfaces, and monitoring suspicious activity.

Aaron Costello, main of SaaS information investigation astatine AppOmni, emphasized that nan vulnerability was terrible because it allowed unauthenticated entree to afloat databases. On-premise ServiceNow systems that didn’t update information patches were astatine risk, dissimilar cloud-hosted versions wherever nan vendor handles updates. Implementing IP reside entree controls could person prevented exploitation. Costello stressed nan value of keeping up pinch information patches, particularly for on-premise SaaS software.