Cyberattackers Exploit QEMU for Stealthy Network Tunneling
In recent times, malicious actors have been found using innovative techniques to infiltrate systems and networks. One such development involves abusing the QEMU open-source hardware emulator as a tunneling tool during cyber-attacks. Threat actors created virtual network interfaces and a socket-type network device using QEMU to facilitate connection to a remote server. This tactic enabled the establishment of a network tunnel from the victim’s system to the attacker’s server with minimal impact on system performance.
QEMU As a Tunneling Tool
Kaspersky researchers Grigory Sablin, Alexander Rodchenko, and Kirill Magaskin shed light on this emerging trend, revealing how threat actors have capitalized on QEMU’s features to establish covert communication channels within target networks. By utilizing the -netdev
option to create network devices, adversaries can establish connections between virtual machines, effectively bypassing traditional security measures.
Networking tunneling is the technique used to encapsulate and transfer data packets between two network endpoints, typically over an intermediary network that might not support the original protocol being used. By creating a virtual “tunnel” inside the existing network architecture, data can pass through the intermediary network in a private and secure way.
The Kaspersky team mentioned they were able to create a network tunnel between a pivot host that is connected to the internet and an internal host that is not connected to the internet within the company network. The tunnel continues to the attacker’s cloud-based server, which is running the QEMU emulator, from there. Because of this covert architecture, threat actors can conceal their harmful activity within legitimate network traffic, which presents a difficult challenge for cybersecurity specialists to detect and mitigate.
According to Kaspersky, the most common tunneling tools utilized by hackers are FRP and ngrok, having 10% of total attacks in the past three years. Additional tools used to create tunnels include CloudFlare tunnels, Stowaway, ligolo, 3proxy, dog-tunnel, chisel, gs-netcat, plink, iox, and nps. However, with QEMU, attackers opted for a less conventional approach to creating network tunnels, prioritizing stealth over traffic encryption.
Conclusion
The idea of using trustworthy tools for malicious intent is not new in the field of cybersecurity. On the other hand, the use of QEMU as a tunneling program indicates a significant advancement in the complexity of cyberattacks. Organizations must thus continue to be vigilant and proactive in strengthening their defenses against constantly evolving attack vectors.
To secure your QEMU-based virtualization systems, you can utilize QEMUCare live patching solution that can automatically patch your infrastructures without needing to reboot or migrate virtual machines.
The sources for this article include a story from BleepingComputer.