March 5, 2024 at 11:50AM
Malicious actors used QEMU as a tunneling tool to establish a network tunnel in a cyberattack on a large company. This unusual case demonstrates the diverse methods attackers use to evade detection. Kaspersky analysts discovered the attack and emphasized the need for multi-level protection, including 24/7 network monitoring, to defend against such stealthy tactics.
Key takeaways from the meeting notes are as follows:
1. Malicious actors used the open-source hypervisor platform QEMU as a tunneling tool in a cyber attack against a large company. The attack involved the creation of virtual network interfaces and a socket-type network device to establish a network tunnel from the victim’s system to the attacker’s server without impacting system performance significantly.
2. Kaspersky analysts discovered this unusual case and highlighted the diverse methods attackers use to remain stealthy, emphasizing the creation of stealthy network tunnels to establish secure communication channels and bypass security measures.
3. Hackers have been found to frequently use utilities such as FRP, ngrok, CloudFlare tunnels, Stowaway, ligolo, 3proxy, dog-tunnel, chisel, gs-netcat, plink, iox, and nps to create network tunnels, leading defenders and monitoring tools to treat these tools with suspicion.
4. In the observed attack, the attackers leveraged QEMU’s unique capabilities, including emulating hardware and virtual networks, to create a network tunneling setup for covert communication, using minimal resources to avoid detection.
5. Kaspersky conducted simulated tests to replicate the attackers’ use of QEMU, concluding that the setup allowed the establishment of a network tunnel from the targeted internal host to a pivot host with internet access, which in turn connects to the attacker’s server.
6. Kaspersky recommends multi-level protection, including reliable endpoint protection and specialized solutions for detecting and protecting against complex and targeted attacks, along with 24/7 network and endpoint monitoring to detect anomalies and block attacks in their initial stages.
These takeaways provide a clear summary of the key points discussed in the meeting.