July 29, 2024 at 04:55PM
A threat actor claims to have acquired email addresses and hashes from over 105 breached ServiceNow databases by exploiting two critical vulnerabilities, CVE-2024-4879 and CVE-2024-5217. The U.S. CISA has added the bugs to its exploited vulnerabilities catalog, and attacks are expected to escalate. ServiceNow has issued hotfixes for the flaws. In-the-wild attacks have targeted various organizations, including critical infrastructure and financial institutions. It is estimated that there are over 297,700 vulnerable ServiceNow instances. Organizations are advised to prioritize basic security measures if they cannot immediately patch the vulnerabilities. Additionally, organizations using self-hosted MID servers should pay attention to the vulnerabilities.
Key takeaways from the meeting notes about the recent ServiceNow vulnerabilities and related exploitation include:
1. A threat actor on BreachForums is claiming to have obtained email addresses and associated hashes from over 105 ServiceNow databases after exploiting two recently disclosed critical vulnerabilities in the cloud-based IT service management platform.
2. The vulnerabilities in question, CVE-2024-4879 and CVE-2024-5217, have high CVSS scores and allow for unauthenticated remote code execution.
3. The US Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its list of known exploited vulnerabilities, urging federal civilian executive branch agencies to apply patches by August 19.
4. Resecurity’s HUNTER threat team has warned of active exploitation and observed the BreachForums member offering the harvested data for sale at $5,000.
5. The attacks on ServiceNow instances have been targeted at organizations including energy companies, data-center organizations, government agencies, and financial institutions, with some victims unaware of the patches or using outdated instances.
These notes highlight the critical nature of the vulnerabilities and the need for affected organizations to apply patches promptly, as well as the potential risks involved in using self-hosted MID servers. It’s clear that heightened security measures, such as tightening access controls and increasing monitoring, are crucial for organizations unable to immediately patch their systems.