Cybercriminals are known to exploit open-source tools for their nefarious purposes and advantage. Recently, researchers have observed active exploits abusing an open-source service known as Interactsh.
Diving into details
Experts spotted some exploits using the same domain name with different subdomains in their malicious payloads.
According to Unit 42 researchers, the abuse of Interactsh was ongoing since mid-April. In fact, the tool’s misuse had begun just two days after its launch on April 16.
The tool allows anyone to generate specific URLs for testing on HTTP attempts and DNS queries, which help them test whether an exploit is successful.
Interactsh is meant to validate security flaws using real-time monitoring on the trace path for the domain and can be used by researchers as well as hackers.
Researchers developing a PoC for an exploit can insert Interactsh to check if the PoC is working. Hackers can use it to ensure if an exploit is working or not.
Moreover, the Interactsh URLs using DNS queries were mostly found to be located in the U.K, Ecuador, and the U.S.
Additionally, malicious Interactsh activities peaked in June.
The exploited CVEs in attacks
Interactsh has been actively used via ISPs and organization networks with simple command injections related to certain flaws.
According to Unit 42, "Each unique Interactsh URL can be thought of as a C2. Most of the exploits for the same CVEs are using multiple randomly generated Interactsh domains and scanning on different host sides."
The exploitation of the Interactsh tool shows how open-source tools meant for researchers can be abused by cybercriminals. Moreover, the traffic generated by open-source tools is hard to block sometimes due to their whitelisting. Therefore, organizations must be aware of the potential misuse of the Interactsh and take proper security measures.