Security News > 2024 > March > Hackers abuse QEMU to covertly tunnel network traffic in cyberattacks

Hackers abuse QEMU to covertly tunnel network traffic in cyberattacks
2024-03-05 16:47

As part of the attack, threat actors used QEMU to create virtual network interfaces and a socket-type network device to connect to a remote server.

QEMU offers unique capabilities such as emulating a wide range of hardware and virtual networks, allowing malicious activities to blend in with benign virtualization traffic, and bridging segmented network parts through strategically set up VM pivot points.

In the attack seen by Kaspersky, the hackers utilized 'Angry IP Scanner' for network scanning, 'mimikatz' for credential theft, and QEMU for creating a sophisticated network tunneling setup that facilitated a covert communication channel.

Netdev user,id=lan,restrict=off: Configures a network backend named 'lan' in user mode, allowing unrestricted network access through the host's network stack.

Netdev hubport,id=port-lan,hubid=0,netdev=lan/sock: Links a network device to a virtual hub hubid=0, facilitating network connectivity between different backends.

Using QEMU, the attackers established a network tunnel from the targeted internal host that didn't have internet access to a pivot host with internet access, which in turn connects to the attacker's server on the cloud, running a Kali Linux VM. The ability of QEMU VMs to link seamlessly and bridge segmented network components is key in bypassing security measures and may also be used to further the breach laterally.


News URL

https://www.bleepingcomputer.com/news/security/hackers-abuse-qemu-to-covertly-tunnel-network-traffic-in-cyberattacks/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Qemu 1 26 216 80 17 339