Cybercriminals Use Interactsh Tool for Vulnerability Validation

Diving into details

• According to Unit 42 researchers, the abuse of Interactsh was ongoing since mid-April. In fact, the tool’s misuse had begun just two days after its launch on April 16.
• The tool allows anyone to generate specific URLs for testing on HTTP attempts and DNS queries, which help them test whether an exploit is successful.
• Interactsh is meant to validate security flaws using real-time monitoring on the trace path for the domain and can be used by researchers as well as hackers.

Additional insights

• Researchers developing a PoC for an exploit can insert Interactsh to check if the PoC is working. Hackers can use it to ensure if an exploit is working or not.
• Moreover, the Interactsh URLs using DNS queries were mostly found to be located in the U.K, Ecuador, and the U.S.
• Additionally, malicious Interactsh activities peaked in June.

The exploited CVEs in attacks

• Some of these flaws are tracked as CVE-2021-31755, CVE-2020-28871, CVE-2020-25223, CVE-2020-8813, and CVE-2020-7247.
• According to Unit 42, "Each unique Interactsh URL can be thought of as a C2. Most of the exploits for the same CVEs are using multiple randomly generated Interactsh domains and scanning on different host sides."

Conclusion