Featured Image Source:  Cisco Telos

Cybersecurity Incident Case Study: IPFS for Phishing, Malware Campaigns

As reported by the Cisco Talos Intelligence Group:

• The InterPlanetary File System (IPFS) is an emerging Web3 technology that is currently seeing widespread abuse by threat actors.
• Cisco Talos has observed multiple ongoing campaigns that leverage the IPFS network to host their malware payloads and phishing kit infrastructure while facilitating other attacks.
• IPFS is often used for legitimate purposes, which makes it more difficult for security teams to differentiate between benign and malicious IPFS activity in their networks.
• Multiple malware families are currently being hosted within IPFS and retrieved during the initial stages of malware attacks. (1)

From our friends over at The Record:

“A new web3 technology is being abused widely by threat actors, according to security researchers from tech giant Cisco.

The InterPlanetary File System (IPFS) is a protocol and peer-to-peer network for storing and sharing data. It is designed to enable decentralized storage of resources on the internet. It was built to be resilient against content censorship, meaning that it is not possible to effectively remove content from within the IPFS network once it’s stored there.

‘IPFS is often used for legitimate purposes, which makes it more difficult for security teams to differentiate between benign and malicious IPFS activity in their networks,’ the researchers said.   ‘Multiple malware families are currently being hosted within IPFS and retrieved during the initial stages of malware attacks.’  The team that runs IFPS did not respond to requests for comment.   According to Cisco Talos, IPFS is currently being leveraged to host phishing kits, which are the websites that phishing campaigns typically use to collect and harvest credentials from unsuspecting victims.

Image Source:  Cisco Telos

Hackers are also using the technology in their malware distribution campaigns because it provides low-cost storage for malicious payloads while offering resilience against content moderation, effectively acting as “bulletproof hosting” for adversaries.  ‘We have observed various samples in the wild that are currently leveraging IPFS. Throughout 2022, we’ve observed the volume of samples in the wild continuing to increase as this becomes a more popular hosting method for adversaries,’ the researchers said.   One campaign saw victims receive emails pretending to come from a Turkish financial institution that were actually part of an infection process for the Agent Tesla remote access trojan.

Several other information-stealing tools were also seen leveraging IFPS, according to Cisco Talos.  The company said it expects this kind of activity to continue increasing as more threat actors recognize that IPFS can be used to facilitate bulletproof hosting, is resilient against content moderation and law enforcement activities, and introduces problems for organizations attempting to detect and defend against attacks that may leverage the IPFS network.’

‘Organizations should be aware of how these newly emerging technologies are being actively used across the threat landscape and evaluate how to best implement security controls to prevent or detect successful attacks in their environments. Organizations should become familiar with these new technologies and how they are being leveraged by threat actors to defend against new techniques that use them,”  Cisco Talos said.” (3)

What Next?

The following is a review of concepts central to how we analyze a socio-technical system here at OODA Loop – core concepts we will return to often in the next couple of months as we provide a final analysis of certain research thematics (misinformation, AI innovation, etc.) and findings from our 2022 research agenda.

This IPFS/web3 cybersecurity incident was of interest to us because it contains all the elements necessary for this case study to introduce the following core concepts and recommendations, which apply to many of the cybersecurity and emerging technology thematics we have explored in 2022:

• Exponential Disruption:  Decision-makers today are confronting unprecedented changes in technology, business processes, the geopolitical environment, and the threat landscape.
• Criminal Use Cases are a Feature Not A Bug of Emerging Technologies:  The surprising convergence of technologies, people, platforms, and/or events for good and for ill, otherwise known as intended consequences, is a feature not a bug of this exponential technological disruption. In this specific case study, an emerging technology – IPFS, a protocol and peer-to-peer network for storing and sharing data  – is implemented in a maleficent manner unintended by its developers.  Mis- and Disinformation by way of social media platforms come to mind as another recent example of this concept. We should no longer be surprised by hackers’ use of emerging technologies like IPFS.  Burn me once…..
• Don’t Believe the Hype:  Many emerging technologies are allied to a branding moniker – in this case, web3 – which is at a place in its “hype cycle” akin to a blind techno-utopianism:  “The emergence of new Web3 technologies in recent years has resulted in drastic changes to the way content is hosted and accessed on the internet. Many of these technologies are focused on circumventing censorship and decentralizing control of large portions of the content and infrastructure people use and access on a regular basis. While these technologies have legitimate uses in a variety of practical applications, they also create opportunities for adversaries to take advantage of them within their phishing and malware distribution campaigns. (3)  Vet all emerging technologies and think critically about negative use cases and vulnerabilities.  Are your deployments of certain “web3” technologies consistent with the business problem you are trying to solve and/or the strategic intent and risk tolerance of your organization – or are you deploying “web3” for “web3’s” sake?
• The Theory of Affordances: Tools, platforms, software, and systems all have innate, obvious affordances – as well as those that are revealed by the intent and final outcome achieved by a particular user:  “Affordance theory asserts a number of things, but I’d focus on its claims that technologies produce fields of action (including unexpected actions), but that not all actions are possible.  The programmer who recodes according to Unix philosophy is re-determining technologies for cultural reasons, the hacktivist who DDoS’s Mastercard to show support for Wikileaks tries to alter the information landscape for political reasons and so on, and crucially they do so in their everyday actions… the language of affordances and (constraints as scholars use it)  leaves room for us to say something about the agency of technical actants in a meaningful way.  there are times and virtual places when and where we are not fully in control of our machinescapes. It is time that we bring in concepts that let us describe and understand those moments, rather than continue to rely on an idealized view of the agency of users and producers.” (2)
• The Exponential Expansion of the Attack Surface:  The size of an attack surface is no longer just the total sum of matrixed attack vectors. It is also no longer cumulative and linear, but, more often than not, exponential (at speed and scale) what OODA CEO Matt Devost characterizes as “a great leap in the attacker space has been enabled by the deployment of machine learning-based cyber attacks and the increased scale, frequency, and volume of automated attacks.”
•  The Attacker Gets a Larger Vote:  We are toying with a formative hypothesis that the attacker’s share of the vote on the outcome of a cybersecurity incident is directly proportional to the strategic advantage wrought by these expanded attack surfaces.
• Enough about Algorithms. It is all about Heuristics Moving Forward:  The upside of these expanded attack surfaces is they are also the source of a large dataset with the potential to inform machine learning, attack simulation, and threat modeling, all heuristic by their very nature and central to mounting an adequate strategic threat assessment:  “An algorithm is a step-wise procedure for solving a specific problem in a finite number of steps. The result (output) of an algorithm is predictable and reproducible given the same parameters (input). A heuristic is an educated guess which serves as a guide for subsequent explorations.” (4)    Add an OODA Loop operational layer to review these heuristic ‘educated guesses’, keeping humans firmly in the decision-making loop.
• Threat Intelligence:  Organizations need new ways of rapidly assessing and mitigating this next generation of exponentially disruptive cyber threats.
• Past is Prologue:  Cyberthreat intelligence lessons learned from the past are still very relevant today.  Tap the institutional knowledge of the broader cybersecurity community, including the OODA Network.