ServiceNow under attack

Exploitation Report

‍

Multiple threat actors are attempting to exploit three newly discovered vulnerabilities in ServiceNow (CVE-2024-4879, CVE-2024-5217,CVE-2024-5178) to steal data from different targets, such as an energy company, a data center company, and a Middle Eastern government agency. Chained together, the three might provide full access to NOW platform databases and to MID Servers – proxy servers between cloud-hosted ServiceNow instances and enterprise networks. Between 13,000 and 42,000 Internet-exposed instances are at risk.

‍

‍

Mitigate it

Apply Tenable plugin ID 114376; Enforce Checkpoint IPS rule “ServiceNow Server-Side Template Injection”; Limit access to the instance using an IP whitelist to ensure that only authorized IP addresses are allowed.

Multiple threat groups exploit a ESXi vulnerability

‍

A new vulnerability in ESXi hypervisors (CVE-2024-37085), patched last week, is now exploited by ransomware groups to gain admin privileges on ESXi hosts. When exploiting the flaw, attackers with enough AD privileges can recreate the ESXi admin group on a hypervisor after it was deleted by the AD. So far, the threat groups using the vulnerability are Black Basta that targeted a North American engineering firm; Storm-0506, a Black Basta-associated group that gained initial access by exploiting a Windows CLFS vulnerability (CVE-2023-28252); Scattered Spider (aka UN3944), known for the MGM hack; The Chinese Storm-1175 (aka UNC5604), that deploys the Akira ransomware; and the old Manatee Tempest (aka EvilCorp), a group mostly targeting banks and financial institutions.

‍

Mitigate it

Manually deny access of the “ESX Admins” group by changing settings in the ESXi hypervisor; Track Defender for Endpoint alert “Suspicious modifications to ESX Admins group”

2021 UK electoral commission's hack: an unpatched ProxyShell flaws

‍

The UK published that the 2021 data breach in the country’s electoral commission was the result of unpatched 2016 Exchange servers against the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). A Chinese state actor (APT40 and/or APT31) successfully chained the three flaws to deploy webshells and install backdoors, gaining access to information of 40 million British citizens. A patch was made available no less than three months before the attack took place.

‍

‍

A new exploited flaw in Acronis

‍

Nine months after a patch release, threat actors are actively exploiting a vulnerability (CVE-2023-45249) in Acronis Cyber Infrastructure (ACI), including for installing cryptominers. ACI is a multi-tenant cyber protection platform that offers storage, compute, and virtualization capabilities. Exploitation might allow attackers to run arbitrary code, and is apparently enabled by the use of default passwords.

‍

Azure outage: a result of a DDoS attack?

‍

The 8-hours outage in many Azure services was the result of a DDoS attack on Microsoft. Moreover, due to an implementation bug, Microsoft’s DDoS protection mechanism has amplified the impact of the incident rather than mitigating it. According to Microsoft, a usage spike affected the performance of Azure Front Door (AFD) and Azure Content Delivery Network (CDN) components, leading to the suspension of some Azure’s App Services, Application Insights, IoT Central, Log Search Alerts, Policy, portal and Microsoft 365.

‍

‍

Unprecedented 75M USD ransom has been paid

A new report shows that last year experienced an 18% increase in the number of ransomware attacks, and claims that a Fortune50 company paid a record-breaking 75 million USD ransom to Dark Angels in early 2024. Dark Angels is a group targeting corporates with derivatives of the Babuk ransomware for Windows and of RagnarLocker for ESXi servers. Furthermore, the report lists last year’s most exploited vulnerabilities by ransomware groups: the flaws in ScreenConnect (CVE-2024-1708/9), in Cisco ASA and FTD (CVE-2020-3259), in Cisco VPN (CVE-2023-20269) and in Citrix Netscaler (CVE-2023-4966,CVE-2023-3519).

‍

Zero-days detection and mitigation time

Another report investigating more than 600 companies affected by data breaches during the past year shows that the mean detection time for zero-days (183 days) is shorter than for other initial access methods, such as compromised credentials or phishing attacks. However, once identified, it generally takes more time to mitigate a zero-day vulnerability (69 days) than for other intrusion means.

‍