Executive Summary

The following critical advisory was issued concerning the exploitation of vulnerabilities in ServiceNow, a widely used cloud-based platform for automating digital workflows. Three key vulnerabilities, CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178, have been identified and exploited, with Israel being significantly impacted. This report provides a detailed examination of these vulnerabilities, their impact, and recommended mitigation strategies.

Impact Assessment

The exploitation of these ServiceNow vulnerabilities has predominantly impacted Israel, with additional reports of attacks in Lithuania, Japan, and Germany. The vulnerabilities allow threat actors to gain unauthorized access, potentially leading to data breaches and operational disruptions. Organizations relying on ServiceNow for sensitive data management are at heightened risk, with over 70% of malicious activities targeting Israeli systems.

Threat Actor Details

Threat intelligence indicates that the resurgence in malicious activity exploiting these vulnerabilities has been observed by GreyNoise. While specific threat actors have not been publicly named, the coordinated nature of the attacks suggests the involvement of sophisticated cybercriminal groups possibly with geopolitical motivations.

Technical Details and IOCs

CVE-2024-4879 is a template injection vulnerability that enables remote code execution through unsanitized user input in template engines. CVE-2024-5217 and CVE-2024-5178 involve input validation errors, which can be exploited to manipulate data and bypass security controls, potentially granting full database access. Indicators of Compromise (IOCs) include unusual authentication attempts, unauthorized data access logs, and unexpected server behavior.

Affected Systems and Services

The vulnerabilities affect ServiceNow instances that have not been updated with the latest security patches. Both cloud-hosted and on-premise versions of ServiceNow are susceptible, with a higher risk for on-premise systems due to delayed patch implementations.

Timeline of Events

The vulnerabilities were initially disclosed in early 2023, with patches provided by ServiceNow shortly thereafter. Despite this, exploitation activities surged in late 2023, particularly in Israel, indicating a delayed patch application or insufficient security measures by affected organizations.

Prioritized Mitigation Steps

Organizations should immediately apply all available patches from ServiceNow to close the security gaps. Implementing IP address access controls and limiting access to management interfaces are crucial steps. Continuous monitoring for suspicious activities and potential exploitation attempts is also recommended.

Detection Methods

Detection involves monitoring for anomalies in user sessions, unexpected data exports, and authentication logs. Employing intrusion detection systems to identify unusual patterns indicative of exploitation attempts can aid in early detection and response.

References and Advisories

Further information and updates can be found in the GreyNoise Blog Post on ServiceNow Vulnerabilities and the HackRead Article: New Attacks Exploit Year-Old ServiceNow Flaws – Israel Hit Hardest. The National Vulnerability Database (NVD) provides detailed entries for the vulnerabilities: CVE-2024-4879.

About Rescana

Rescana's Third Party Risk Management (TPRM) platform assists organizations in identifying and mitigating risks associated with third-party services like ServiceNow. By providing continuous monitoring and risk assessments, Rescana enables proactive management of cybersecurity threats. For further inquiries, please contact us at ops@rescana.com.