InterPlanetary File System Increasingly Weaponized for Phishing, Malware Delivery

  /     /     /  
Publicated : 23/11/2024   Category : security


InterPlanetary File System Increasingly Weaponized for Phishing, Malware Delivery


Cyberattackers like IPFS because it is resilient to content blocking and takedown efforts.



As has happened with other Web technologies designed for legitimate use, the InterPlanetary File System (IPFS) peer-to-peer network for storing and accessing content in a decentralized fashion has become a potent new weapon for cyberattacks.
Researchers from Cisco Talos this week reported observing multiple malicious campaigns leveraging the IPFS to host phishing kits and malware payloads. For many attackers, the IPFS has become the equivalent of a bulletproof hosting provider that is mostly impervious to takedown efforts, Talos said. Complicating matters for defenders is the fact that the IPFS is often used for legitimate purposes. So, differentiating between benign and malicious IPFS activity is another challenge, the security vendor said.
Organizations should become familiar with these new technologies and how they are being leveraged by threat actors to
defend against new techniques
that use them, Talos said in a report summarizing the threat.
This marks at least the second time in recent months that researchers have sounded the alarm on IPFS becoming a hotbed of cybercrime activity.
In July, Trustwaves SpiderLabs noted how its researchers had identified
more than 3,000 emails with phishing URLs
hosted in the IPFS in a three-month period. Phishing pages that it observed on the IPFS included those that spoofed Microsoft Outlook login pages, Google domains and cloud storage services such as Filebase.io and nftstorage.link. Phishing techniques
have taken a leap
by utilizing the concept of decentralized cloud services using IPFS, Trustwave said. The growing use of IPFS by many file storage, Web hosting, and cloud service companies means that attackers have a lot more flexibility in creating new phishing URLs that cannot be easily blocked, the security vendor said.
IPFS is a peer-to-peer file sharing system that Protocol Labs launched in 2015. The network is designed to allow decentralized storage of content. Content stored in the IPFS is mirrored across multiple nodes, or systems that participate in the network. Individuals and others can use IPFS to store different types of data including webpages, files, NFTs, and documents.
Resources stored on the IPFS are assigned unique identifiers. Users can employ the identifier to access the content via IPFS clients or gateways, which are like gateways for accessing content on the Tor network. Because content is mirrored on IPFS, it is always available even if one node goes down.
This has made the IPFS an attractive option for hosting phishing kits and malware for cybercriminals. Because content on the IPFS does not have a static IP address, it cannot be blocked using standard IP blocking and blacklisting mechanisms. Similarly, taking down a node containing phishing pages and malware does little to neutralize a threat because the content is mirrored across multiple nodes. There is also no central authority on the IPFS that law enforcement or security vendors can contact to take down a phishing or malware distributing site.
In an example of how attackers are abusing IPFS, Talos pointed to a phishing campaign in which victims receive an email with an attached PDF that purports to be associated with the DocuSign document signing service. When a user clicks on the Review Document link, they are directed to a webpage that appears to be a legitimate Microsoft authentication page but is really a credential-harvesting page hosted on the IPFS network.
In situations where an IPFS gateway might recognize the resource being requested as malicious and block access, attacker simply change the IPFS gateway that is used to retrieve the content, Talos said.
Phishing pages are not the only threat. A growing number of attackers are also leveraging the peer-to-peer network to distribute malicious payloads.
In one campaign that Talos researchers observed, the attacker sent victims a phishing email with a ZIP attachment containing a malware dropper in the form of a PE32 executable. When run, the downloader would reach out to an IPFS gateway and retrieve a second-stage malware payload hosted on the peer-to-peer network. The attack chain ended with the Agent Tesla remote-access Trojan getting dropped on the victims system.
Talos researchers also found a destructive, disk-wiping malware tool and a full-featured information-stealer called Hannabi Grabber hosted in IPFS nodes.
Many new Web3 technologies have emerged recently, attempting to provide valuable functionality to users, Talos said in the report. As these technologies have continued to see increased adoption for legitimate purposes, they have begun to be leveraged by adversaries as well.
The researchers expect the trend to gain momentum as more threat actors realize the IPFS is resilient to content moderation and takedown efforts.
Organizations should be aware of how these newly emerging technologies are being actively used across the threat landscape and evaluate how to best implement security controls to prevent or detect successful attacks in their environments, the vendor said.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
InterPlanetary File System Increasingly Weaponized for Phishing, Malware Delivery