



Like other web technologies designed for legitimate use, the InterPlanetary File System (IPFS) peer-to-peer network for storing and accessing content in a decentralized manner has become a powerful new weapon for cyberattacks. became.

This week, Cisco Talos researchers reported observing multiple malicious campaigns leveraging IPFS to host phishing kits and malware payloads. According to Talos, for many attackers, IPFS has become the equivalent of a bulletproof hosting provider that is largely immune to takedowns. Complicating the problem for defenders is the fact that IPFS is often used for legitimate purposes. So differentiating between benign he IPFS activity and malicious IPFS activity is another challenge, says the Security He vendor.

In its threat summary report, Talos said, “Organizations must become familiar with these new technologies and how threat actors are using them to defend against the new technologies that use them.

growing threat

It’s at least the second time in recent months that researchers have sounded the alarm that IPFS is becoming a hotbed for cybercriminal activity.

In July, Trustwave’s SpiderLabs noted that researchers identified more than 3,000 emails containing phishing URLs hosted on IPFS in a three-month period. Phishing pages seen by IPFS included spoofed Microsoft Outlook login pages, Google domains, and cloud storage services such as his Filebase.io and nftstorage.link. According to Trustwave, “Using the concept of distributed cloud services using IPFS has revolutionized phishing technology. Security vendors say that this means attackers have a lot more flexibility in crafting new phishing URLs that they can’t easily block.

IPFS is a peer-to-peer file sharing system launched by Protocol Labs in 2015. Networks are designed to allow distributed storage of content. Content stored in IPFS is mirrored across multiple nodes or systems participating in the network. Individuals and other users can use IPFS to store different types of data such as web pages, files, NFTs, and documents.

Resources stored in IPFS are assigned unique identifiers. A user can use the identifier to access content through her IPFS client or gateway, like a gateway for accessing content on the Tor network. Content is IPFS mirrored so it is always available even if one node goes down.

This makes IPFS an attractive option for hosting phishing kits and malware for cybercriminals. IPFS content does not have a static IP address, so it cannot be blocked using standard IP blocking and blacklisting mechanisms. Similarly, taking down a node containing a phishing page or malware is unlikely to neutralize the threat because the content is mirrored across multiple nodes. IPFS also has no central authority that law enforcement and security vendors can contact to take down phishing and malware distribution sites.

Talos cited a phishing campaign in which victims received emails with PDF attachments purporting to be associated with the DocuSign document signing service as an example of attackers abusing IPFS.the user[ドキュメントのレビュー]The link takes you to a web page that looks like a legitimate Microsoft authentication page, but is actually a credential harvesting page hosted on the IPFS network.

According to Talos, an attacker would simply change the IPFS gateway used to retrieve content if the IPFS gateway could perceive it as a malicious resource and block access to it.

Phishing is not the only threat

Phishing pages aren’t the only threat. Attackers are also increasingly leveraging peer-to-peer networks to distribute malicious payloads.

In one campaign Talos researchers observed, attackers sent victims a phishing email containing a ZIP attachment containing a malware dropper in the form of a PE32 executable. Once the downloader runs, it reaches the IPFS gateway and picks up the second stage malware payload hosted on the peer-to-peer network. The attack chain ended with the Agent Tesla remote access Trojan being dropped on the victim’s system.

Talos researchers also found a destructive disk-wiping malware tool and a full-featured information-stealing program called Hannabi Grabber hosted on IPFS nodes.

Talos said in the report: “As these technologies continue to be adopted for legitimate purposes, they are beginning to be leveraged by attackers as well.”

Researchers expect this trend to gain momentum as more attackers find IPFS more resilient to content moderation and removal efforts.

“Organizations should be aware of how these emerging technologies are being actively used throughout the threat landscape and implement security controls to prevent or detect successful attacks in their environment. We need to evaluate methods,” Bender said.

