Like other web technologies designed for legitimate use, the Interplanetary File System (IPFS) peer-to-peer network for storing and accessing content in a decentralized manner has become a powerful new weapon for cyberattacks.
This week, researchers from Cisco Talos reported that multiple malicious campaigns were observed leveraging IPFS to host phishing kits and malware payloads. For many attackers, IPFS has become a bulletproof hosting provider that is virtually immune to attacks, Talos said. The problem for defenders is complicated by the fact that IPFS is often used for legitimate purposes. As such, distinguishing between benign and malicious IPFS activity is another challenge, security vendors say.
“Organizations should be familiar with these new technologies and how threat actors can use them to defend against new technologies that use them,” Talos said in a report summarizing the threats.
This marks at least the second time in recent months that researchers have warned that IPFS is a hotbed of cybercriminal activity.
In July, Trustwave’s SpiderLabs noted how its researchers identified more than 3,000 emails with phishing URLs hosted in IPFS over a three-month period. Phishing pages it observed on IPFS included those that spoofed Microsoft Outlook login pages, Google domains, and cloud storage services such as Filebase.io and nftstorage.link. “Phishing has taken a leap forward by leveraging the concept of IPFS’s decentralized cloud services,” Trustwave said. The increasing use of IPFS by many file storage, web hosting and cloud services companies means attackers have more flexibility to create new phishing URLs that cannot be easily blocked, security vendors said.
IPFS is a peer-to-peer file sharing system launched by Protocol Labs in 2015. The network is designed to allow decentralized storage of content. Content stored in IPFS is mirrored across multiple nodes or systems participating in the network. Individuals and others can use IPFS to store different types of data, including web pages, files, NFTs, and documents.
Resources stored on IPFS are assigned unique identifiers. Users can use the identifier to access content through IPFS clients or gateways, which are similar to gateways for accessing content on the Tor network. Since content is mirrored on IPFS, it is always available even if one node fails.
This makes IPFS an attractive option for hosting phishing kits and malware for cybercriminals. Since content on IPFS does not have static IP addresses, it cannot be blocked using standard IP blocking and blacklisting mechanisms. Likewise, shutting down nodes that contain phishing pages and malware does little to neutralize the threat because the content is mirrored across multiple nodes. There is also no central authority on IPFS that law enforcement or security vendors can contact to take down phishing or malware distribution sites.
In one example of how attackers can abuse IPFS, Talos points to a phishing campaign in which victims receive an email with an attached PDF purporting to be associated with the DocuSign document signing service . When users click the “View Documentation” link, they are directed to a web page that appears to be a legitimate Microsoft authentication page, but is actually a credential collection page hosted on the IPFS network.
In cases where the IPFS gateway might identify the requested resource as malicious and block access, an attacker would only need to change the IPFS gateway used to retrieve the content, Talos said.
Phishing isn’t the only threat
Phishing pages aren’t the only threat. More and more attackers are also leveraging peer-to-peer networks to distribute malicious payloads.
In one campaign observed by Talos researchers, attackers sent victims a phishing email with a ZIP attachment containing a malware dropper in the form of a PE32 executable. When running, the downloader will access the IPFS gateway and retrieve the second stage malware payload hosted on the peer-to-peer network. The attack chain ends with the Agent Tesla remote access Trojan being dropped on the victim system.
Talos researchers also discovered a destructive disk-wiping malware tool and a full-featured information stealer called Hannabi Grabber, hosted in IPFS nodes.
“Many new Web3 technologies have recently emerged in an attempt to provide valuable functionality to users,” Talos said in the report. “As these technologies continue to be used more for legitimate purposes, they also begin to be exploited by adversaries.”
The researchers expect this trend to gain momentum as more threat actors realize that IPFS is resilient to content moderation and removal efforts.
“Organizations should understand how these emerging technologies are being actively used in threat environments and assess how best to implement security controls to prevent or detect successful attacks in their environment,” the vendor said.