Uzmanlar\u0131m\u0131z, siber su\u00e7lular\u0131n hedefli sald\u0131r\u0131larda kullanmaya ba\u015flad\u0131\u011f\u0131 yeni bir arka kap\u0131 buldular. Tomiris ad\u0131ndaki arka kap\u0131, DarkHalo\u2019nun (di\u011fer ad\u0131yla Nobelium) SolarWinds m\u00fc\u015fterilerine kar\u015f\u0131 d\u00fczenledi\u011fi tedarik zinciri sald\u0131r\u0131s\u0131nda kulland\u0131\u011f\u0131 k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m Sunshuttle (di\u011fer ad\u0131yla GoldMax) ile bir\u00e7ok y\u00f6nden benzerlik g\u00f6steriyor.<\/p>\n
Tomiris arka kap\u0131s\u0131n\u0131n as\u0131l g\u00f6revi, kurban\u0131n makinesine ek k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m da\u011f\u0131tmakt\u0131r. Arka kap\u0131, s\u00fcrekli olarak siber su\u00e7lular\u0131n C&C sunucusuyla ileti\u015fim halindedir ve oradan, belirtilen arg\u00fcmanlarla \u00e7al\u0131\u015ft\u0131r\u0131lan y\u00fcr\u00fct\u00fclebilir dosyalar\u0131 indirir.<\/p>\n
Uzmanlar\u0131m\u0131z ayr\u0131ca arka kap\u0131n\u0131n dosya \u00e7alan bir varyant\u0131n\u0131 da ke\u015ffettiler. K\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m, yak\u0131n zamanda olu\u015fturulan belli uzant\u0131lara sahip (.doc, .docx, .pdf, .rar ve di\u011ferleri) dosyalar\u0131 se\u00e7iyor ve ard\u0131ndan bunlar\u0131 C&C sunucusuna y\u00fckl\u00fcyor.<\/p>\n
G\u00fcvenlik teknolojilerini aldatmak ve ara\u015ft\u0131rmac\u0131lar\u0131 yan\u0131ltmak amac\u0131yla yarat\u0131c\u0131lar\u0131 taraf\u0131ndan arka kap\u0131ya \u00e7e\u015fitli \u00f6zellikler eklenmi\u015f. \u00d6rne\u011fin y\u00fckleme s\u0131ras\u0131nda k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m, 9 dakika boyunca hi\u00e7bir \u015fey yapmaz; bu, sandbox<\/a> tabanl\u0131 alg\u0131lama mekanizmalar\u0131n\u0131 yan\u0131ltmas\u0131 muhtemel bir gecikmedir. Dahas\u0131, C&C sunucusunun adresi do\u011frudan Tomiris\u2019in i\u00e7inde kodlanmam\u0131\u015ft\u0131r \u2014 URL ve ba\u011flant\u0131 noktas\u0131 bilgileri bir sinyal sunucusundan gelir.<\/p>\n Siber su\u00e7lular arka kap\u0131y\u0131 y\u00fcklemek amac\u0131yla, hedef al\u0131nan i\u015fletmelerin posta sunucular\u0131ndan gelen trafi\u011fi kendi k\u00f6t\u00fc niyetli sitelerine y\u00f6nlendirmek i\u00e7in DNS ele ge\u00e7irme<\/a> (DNS hijacking) y\u00f6ntemini (muhtemelen alan ad\u0131 kay\u0131t \u015firketinin sitesindeki kontrol paneline giri\u015f bilgilerini alarak) kullan\u0131yorlar. Bu \u015fekilde, m\u00fc\u015fterileri e-posta servisinin ger\u00e7ek giri\u015f sayfas\u0131na benzeyen bir sayfaya \u00e7ekebiliyorlar. Do\u011fal olarak, biri sahte sayfada giri\u015f bilgilerini girdi\u011finde bilgiler, hemen k\u00f6t\u00fc niyetli ki\u015filerin eline ge\u00e7iyor.<\/p>\n Tabi ki siteler \u00e7al\u0131\u015f\u0131r halde kalmak i\u00e7in bazen kullan\u0131c\u0131lardan bir g\u00fcvenlik g\u00fcncellemesi y\u00fcklemesini ister. Bu \u00f6rnekte kullan\u0131c\u0131lardan y\u00fcklemesi istenen g\u00fcncelleme asl\u0131nda Tomiris\u2019i indiren bir g\u00fcncellemeydi.<\/p>\n Tomiris arka kap\u0131s\u0131 hakk\u0131nda daha fazla teknik ayr\u0131nt\u0131ya ve Tomiris ile DarkHalo ara\u00e7lar\u0131n\u0131n risk g\u00f6stergeleri ve aralar\u0131nda g\u00f6zlemlenen ba\u011flant\u0131ya ula\u015fmak i\u00e7in Securelist\u2019teki yaz\u0131m\u0131za<\/a> g\u00f6z at\u0131n.<\/p>\n E-posta servisinin web aray\u00fcz\u00fcne eri\u015fen bilgisayar, g\u00fc\u00e7l\u00fc bir g\u00fcvenlik \u00e7\u00f6z\u00fcm\u00fc<\/a> taraf\u0131ndan korunuyorsa, yukar\u0131da a\u00e7\u0131klad\u0131\u011f\u0131m\u0131z k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m da\u011f\u0131t\u0131m y\u00f6ntemi i\u015fe yaramayacakt\u0131r. Ayr\u0131ca, APT operat\u00f6rlerine ili\u015fkin kurumsal a\u011fdaki herhangi bir etkinlik, Kaspersky Managed Detection and Response<\/a> kullanan uzmanlar\u0131n yard\u0131m\u0131yla tespit edilebilir.<\/p>\n\n","protected":false},"excerpt":{"rendered":" SAS 2021 konferans\u0131nda uzmanlar\u0131m\u0131z, DarkHalo grubuyla ba\u011flant\u0131l\u0131 gibi g\u00f6r\u00fcnen Tomiris arka kap\u0131s\u0131 hakk\u0131nda konu\u015ftular.<\/p>\n","protected":false},"author":2581,"featured_media":10113,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1726,1194],"tags":[493,2482,337,2481,333],"class_list":{"0":"post-10112","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-enterprise","8":"category-business","9":"tag-apt","10":"tag-darkhalo","11":"tag-sas","12":"tag-sas-2021","13":"tag-security-analyst-summit"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/tomiris-backdoor\/10112\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/tomiris-backdoor\/23437\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/tomiris-backdoor\/18910\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/tomiris-backdoor\/9466\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/tomiris-backdoor\/25503\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/tomiris-backdoor\/23581\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/tomiris-backdoor\/23001\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/tomiris-backdoor\/26156\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/tomiris-backdoor\/25712\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/tomiris-backdoor\/31600\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/tomiris-backdoor\/42239\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/tomiris-backdoor\/17824\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/tomiris-backdoor\/18271\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/tomiris-backdoor\/15371\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/tomiris-backdoor\/27511\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/tomiris-backdoor\/31733\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/tomiris-backdoor\/27661\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/tomiris-backdoor\/29792\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/tomiris-backdoor\/29591\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/sas\/","name":"SAS"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10112","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/2581"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=10112"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10112\/revisions"}],"predecessor-version":[{"id":10114,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10112\/revisions\/10114"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/10113"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=10112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=10112"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=10112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Tomiris bilgisayarlara nas\u0131l giriyor?<\/h2>\n
Kendinizi koruman\u0131n yollar\u0131<\/h2>\n