Hackers are bolstering attempts to exploit Servanno's trio of vulnerabilities a year ago to infiltrate unpublished company instances, security researchers warned this week.
Threat intelligence startup Greynoise said in a blog post Tuesday it observed a “salient revival of wild activity” targeting three ServiceNow vulnerabilities tracked as CVE-2024-4879, CVE-2024-5178 and CVE-2024-5217.
The vulnerability was first disclosed by AssetNote researchers in May 2024 and was patched by ServiceNow in July 2024.
Greynoise said all three flaws had been revived last week in an attempt to target exploitation. While it's not exactly clear what's behind this latest wave of targeting, Greynoise says that 70% of the malicious activities he's observed over the past week are targeting Israel-based systems, and activities can also be seen in Germany, Japan and Lithuania.
As first pointed out in AssetNote last year, Greynoise also confirms that vulnerabilities can be chained up for “full database access” of affected ServiceNow instances. Organizations often use the ServiceNow platform to host sensitive data about their employees.
ServiceNow spokesman Erica Faltous told TechCrunch that the company first learned of the vulnerability “almost a year ago.”
Following AssetNote's flaw disclosure last year, the US security company's denial warned that foreign threat actors tried to exploit the three ServiceNow vulnerabilities to target both private and government agencies around the world.
The response said they saw targeted attempts in energy companies, data center organizations, Middle East government agencies and software developers.
Cybersecurity firm Imperva released another report in July 2024, warning that it had observed exploitation attempts at 6,000 sites across various industries, focusing on the financial services sector.