Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 1 December 2025 22:59
Security researchers have discovered a sophisticated exploit campaign that leverages a private out-of-band application security testing (OAST) service hosted on Google Cloud infrastructure. The campaign primarily targets systems in Brazil and exploits over 200 common vulnerabilities (CVEs).
OAST endpoints typically help attackers verify the success of exploits for command execution, server-side request forgery (SSRF), and deserialization. Most attackers use publicly available OAST services such as toast.fun and interact.sh , but the authors of this threat operation operated a private domain called i-sh.detectors-testing.com.
VulnCheck’s Canary threat intelligence system detected approximately 1,400 exploit attempts related to this infrastructure between October 12 and November 14, 2025. This unusual private OAST configuration clearly distinguishes it from typical scanning activity.
All observed attack traffic came from Google Cloud IP addresses located in the United States. The identified scanning IPs include: 34.172.194.72, 35.194.0.176, 34.133.225.171, 34.68.101.3, 34.42.21.27, and 34.16.7.161.
A dedicated OAST host, 34.136.22.26 , runs the Interactsh service on ports 80, 443, and 389. Using Google Cloud hosting provides a tactical advantage. Defenders rarely completely block traffic from large cloud providers, making it easy for attack traffic to infiltrate legitimate network communications.
Although VulnCheck distributes Canary globally, this attack campaign only targeted systems deployed in Brazil. Although AbuseIPDB reports indicate that the same group of attackers’ IP addresses has also been reported in Serbia and Turkey, VulnCheck data confirms that the campaign was aimed exclusively at Brazilian targets.
Attackers combined Nuclei templates with older versions no longer maintained in the official repository. For example, the attack used the obsolete grafana-file-read template. This YAML template was removed from the nuclei-templates repository in October 2025.
This suggests that the attackers may have used outdated tools or third-party scanners.
The attack also used a custom payload. The attacker exposed an open directory on port 9000 containing a modified TouchFile.class file , designed to exploit a vulnerability in Fastjson 1.2.47.
Unlike the standard Vulhub build, this custom payload could execute arbitrary commands and initiate HTTP requests based on parameters . Evidence suggests the attack infrastructure has been operational since at least November 2024, demonstrating unusual persistence.
While most scanners quickly replace their infrastructure, this attacker has maintained a stable presence over the long term.
This attack highlights how attackers are using open-source scanning tools like Nuclei to spread exploit payloads at scale across the internet.
They don’t mind leaving traces, as long as they can quickly identify vulnerable targets. To prevent such persistent threats, organizations should monitor network traffic for unusual OAST callbacks , block known malicious IP addresses, and ensure exposed systems are promptly updated.
Redazione