Hackers have been seen linking multiple ServiceNow vulnerabilities to attack businesses and organizations and steal user login credentials.
Cybersecurity researchers at Resecurity detected an input validation vulnerability that allowed threat actors to perform remote code execution (RCE) attacks on several versions of Now Platform. The vulnerability is now known as CVE-2024-4879 and has a severity score of 9.3.
Shortly after, a team of researchers from Assetnote found two more flaws, identified as CVE-2024-5178 and CVE-2024-5217, and explained how they could be exploited in attacks. Computer beeping It was reported. Soon, attacks began to occur. Resecurity says that after a week of monitoring the flaw, it detected multiple victims, including government agencies, data centers, software development companies, and more.
Login Credential Theft
Attackers would inject a payload that checks for a specific result in the server response. If it gets the right result, it deploys a second-stage payload that verifies the contents of the database. The final step is to dump user lists and account credentials. While most of the time the credentials are encrypted, there are some examples where credentials were dumped in plain text. That can lead to account compromise, which in turn can have devastating consequences, such as ransomware attacks.
ServiceNow is a cloud-based enterprise solution for managing digital workflows. According to BleepingComputer, it has nearly 300,000 instances exposed to the internet, making it a fairly popular solution. Some of its customers include Coca-Cola (which uses it to streamline IT service management), Dell (IT service automation and management), Deloitte (IT service automation and optimization), and the State of California (which manages IT services and operations across the state).
The fix for the vulnerabilities was released on July 10, 2024, but at the time of publication, it appears that many organizations have not yet applied it. Users are advised to install the fix immediately and make sure to do so on all instances.
