Recent reports have indicated that hackers have been taking advantage of two vulnerabilities in the popular Servicenow tools to steal confidential data. In May, Assetnote experts informed Servicenow about three serious vulnerabilities that could potentially expose organizations’ important data. These vulnerabilities, identified as cve-2024-4879, cve-2024-5178, and cve-2024-5217, were brought to Servicenow’s attention.
Shortly after the public report by Assetnote, a proof-of-concept exploit was published, attracting the attention of hackers who actively began attempting to exploit the vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA) highlighted that the hackers were specifically focusing on CVE-2024-4879 and CVE-2024-5217. CISA has included these vulnerabilities in its catalog and has set a deadline for federal agencies to address the issues by August 19.
Cybersecurity researchers have observed hacker attempts to exploit the vulnerabilities in Servicenow systems over the past two weeks. Reports suggest that between 13,000 to 42,000 systems could potentially be compromised, with a majority being in the USA, Great Britain, India, and the European Union.
The vulnerabilities provide attackers with full access to databases, the ability to navigate through systems, and extract data. Resecurity has been closely monitoring the activities of foreign cybercriminals attempting to extract data from private companies and government institutions globally, despite some successful containment efforts.
Various organizations worldwide have been impacted by these attacks, including an energy company, a government agency in the Middle East, and a software development company. Some of these organizations were unaware of the available patches and were using outdated or unsupported systems.
Furthermore, there have been over 6,000 attempted exploitations of the vulnerabilities across different industries, particularly in the financial sector, where automated tools are used to compromise system entry points. In the Darknet, hackers are seeking compromised access to IT services, corporate portals, and systems that provide remote access to employees and contractors. Resecurity has also raised concerns about the activities of Initial Access Brokers (IAB) who breach systems and then sell access to other cybercriminals.