QEMU：黑客新的网络隧道工具

Threat actors have been observed leveraging the QEMU open-source hardware emulator as tunneling software during a cyber attack targeting an unnamed "large company" to connect to their infrastructure.

威胁行为者已被观察到在网络攻击期间利用开源硬件模拟器QEMU作为隧道软件，以连接到其基础设施的未命名"大公司"。

While a number of legitimate tunneling tools like Chisel, FRP, ligolo, ngrok, and Plink have been used by adversaries to their advantage, the development marks the first QEMU that has been used for this purpose.

尽管许多合法的隧道工具如Chisel、FRP、ligolo、ngrok和Plink被对手用于其利益，但这一发展标志着首次使用QEMU进行此目的。

"We found that QEMU supported connections between virtual machines: the -netdev option creates network devices (backend) that can then connect to the virtual machines," Kaspersky researchers Grigory Sablin, Alexander Rodchenko, and Kirill Magaskin said.

"我们发现QEMU支持虚拟机之间的连接：-netdev选项创建网络设备（后端），然后可以连接到虚拟机。" 卡巴斯基研究人员Grigory Sablin、Alexander Rodchenko和Kirill Magaskin说。

"Each of the numerous network devices is defined by its type and supports extra options."

"每个众多的网络设备由其类型定义，并支持额外的选项。"

In other words, the idea is to create a virtual network interface and a socket-type network interface, thereby allowing the virtual machine to communicate with any remote server.

换句话说，这个想法是创建一个虚拟网络接口和一个套接字类型的网络接口，从而使虚拟机能够与任何远程服务器通信。

The Russian cybersecurity company said it was able to use QEMU to set up a network tunnel from an internal host within the enterprise network that didn't have internet access to a pivot host with internet access, which connects to the attacker's server on the cloud running the emulator.

这家俄罗斯网络安全公司表示，他们能够使用QEMU从企业网络中没有互联网访问权限的内部主机建立一个网络隧道，连接到具有互联网访问权限的桥接主机，该桥接主机连接到在云中运行模拟器的攻击者服务器。

The findings show that threat actors are continuously diversifying their attack strategies to blend their malicious traffic with actual activity and meet their operational goals.

研究结果表明，威胁行为者不断多样化其攻击策略，将其恶意流量与实际活动融合，以达到其运营目标。

"Malicious actors using legitimate tools to perform various attack steps is nothing new to incident response professionals," the researchers said.

"利用合法工具执行各种攻击步骤的恶意行为者对事故响应专业人员来说并不新鲜。" 研究人员表示。

"This further supports the concept of multi-level protection, which covers both reliable endpoint protection, and specialized solutions for detecting and protecting against complex and targeted attacks including human-operated ones."

"这进一步支持多层保护的概念，涵盖可靠的端点保护和专门用于检测和防范包括人为操作的复杂和有针对性攻击在内的解决方案。"

参考资料

[1]https://thehackernews.com/2024/03/cybercriminals-utilize-qemu-emulator-as.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：QEMU：黑客新的网络隧道工具