QEMU Emulator Exploited as Tunneling Tool to Breach Company Network

We Keep you Connected

QEMU Emulator Exploited as Tunneling Tool to Breach Company Network

Threat actors have been observed leveraging the QEMU open-source hardware emulator as tunneling software during a cyber attack targeting an unnamed “large company” to connect to their infrastructure.
While a number of legitimate tunneling tools like Chisel, FRP, ligolo, ngrok, and Plink have been used by adversaries to their advantage, the development marks the first QEMU that has been used for this purpose.
“We found that QEMU supported connections between virtual machines: the -netdev option creates network devices (backend) that can then connect to the virtual machines,” Kaspersky researchers Grigory Sablin, Alexander Rodchenko, and Kirill Magaskin said.
“Each of the numerous network devices is defined by its type and supports extra options.”
In other words, the idea is to create a virtual network interface and a socket-type network interface, thereby allowing the virtual machine to communicate with any remote server.
The Russian cybersecurity company said it was able to use QEMU to set up a network tunnel from an internal host within the enterprise network that didn’t have internet access to a pivot host with internet access, which connects to the attacker’s server on the cloud running the emulator.
The findings show that threat actors are continuously diversifying their attack strategies to blend their malicious traffic with actual activity and meet their operational goals.
“Malicious actors using legitimate tools to perform various attack steps is nothing new to incident response professionals,” the researchers said.
“This further supports the concept of multi-level protection, which covers both reliable endpoint protection, and specialized solutions for detecting and protecting against complex and targeted attacks including human-operated ones.”
State of AI in the Cloud 2024
Find out what 150,000+ cloud accounts revealed about the AI surge.
Goodbye, Atlassian Server. Goodbye… Backups?
Protect your data on Atlassian Cloud from disaster with daily backups and on-demand restores.
Take Action Fast with Censys Search for Security Teams
Stay ahead of advanced threat actors with best-in-class threat intelligence from Censys Search.
Stay ahead of advanced threat actors with best-in-class threat intelligence from Censys Search.
From Humans to Bots: Every Identity in Your SaaS App Could Be a Backdoor for Cybercriminals.
Learn how to protect your innovations from emerging security threats with expert advice.
Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.

source

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE