{"id":10158,"date":"2021-10-15T13:09:08","date_gmt":"2021-10-15T10:09:08","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=10158"},"modified":"2021-10-15T13:12:39","modified_gmt":"2021-10-15T10:12:39","slug":"mysterysnail-cve-2021-40449","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/mysterysnail-cve-2021-40449\/10158\/","title":{"rendered":"MysterySnail, s\u0131f\u0131r g\u00fcn g\u00fcvenlik a\u00e7\u0131\u011f\u0131ndan ge\u00e7iyor"},"content":{"rendered":"

Davran\u0131\u015fsal Tespit Motoru ve A\u00e7\u0131klardan Yararlanma \u00d6nleme (Behavioral Detection Engine and Exploit Prevention) teknolojilerimiz, yak\u0131n zamanda Win32k \u00e7ekirdek s\u00fcr\u00fcc\u00fcs\u00fcndeki bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131ndan yararlan\u0131ld\u0131\u011f\u0131n\u0131 tespit ederek, arkada ger\u00e7ekle\u015ftirilen t\u00fcm siber su\u00e7 operasyonunun ara\u015ft\u0131r\u0131lmas\u0131n\u0131 sa\u011flad\u0131. G\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 (CVE-2021-40449<\/a>) Microsoft\u2019a bildirdik ve \u015firket, 12 Ekim\u2019de yay\u0131nlanan d\u00fczenli bir g\u00fcncellemede bunu d\u00fczeltti. Bu nedenle, her zaman oldu\u011fu gibi Sal\u0131 Yamas\u0131\u2019n\u0131n ard\u0131ndan m\u00fcmk\u00fcn olan en k\u0131sa s\u00fcrede Microsoft Windows\u2019un g\u00fcncellenmesini<\/a> \u00f6neriyoruz.<\/p>\n

CVE-2021-40449 ne i\u00e7in kullan\u0131ld\u0131?<\/h2>\n

CVE-2021-40449, Win32k s\u00fcr\u00fcc\u00fcs\u00fcn\u00fcn NtGdiResetDC i\u015flevindeki bir use-after-free g\u00fcvenlik a\u00e7\u0131\u011f\u0131<\/a> (serbest b\u0131rakt\u0131ktan sonra kullan\u0131m \u2013 UAF). Ayr\u0131nt\u0131l\u0131 teknik a\u00e7\u0131klamaya Securelist g\u00f6nderimizden<\/a> ula\u015fabilirsiniz ancak k\u0131saca bahsetmemiz gerekirse, g\u00fcvenlik a\u00e7\u0131\u011f\u0131, bilgisayar\u0131n belle\u011findeki \u00e7ekirdek mod\u00fcl\u00fc adreslerinin s\u0131zmas\u0131na neden olabiliyor. Siber su\u00e7lular daha sonra ba\u015fka bir k\u00f6t\u00fc ama\u00e7l\u0131 i\u015flemin ayr\u0131cal\u0131klar\u0131n\u0131 y\u00fckseltmek i\u00e7in bu s\u0131z\u0131nt\u0131y\u0131 kullan\u0131yorlar.<\/p>\n

Ayr\u0131cal\u0131k y\u00fckseltme yoluyla sald\u0131rganlar, kurban\u0131n sistemine eri\u015fmelerini sa\u011flayan bir Uzaktan Eri\u015fim Truva At\u0131 (RAT)<\/a> olan MysterySnail\u2019i indirip \u00e7al\u0131\u015ft\u0131rabiliyor.<\/p>\n

MysterySnail ne yap\u0131yor?<\/h2>\n

Truva at\u0131, vir\u00fcsl\u00fc sistem hakk\u0131nda bilgi toplamaya ba\u015fl\u0131yor ve bu bilgileri C&C (komuta kontrol) sunucusuna g\u00f6nderiyor. Ard\u0131ndan sald\u0131rganlar MysterySnail arac\u0131l\u0131\u011f\u0131yla, \u00f6rne\u011fin belirli bir dosya olu\u015fturmak, okumak veya silmek, bir s\u00fcre\u00e7 olu\u015fturmak veya silmek, bir dizin listesi olu\u015fturmak veya bir proxy kanal\u0131 a\u00e7arak, bunun \u00fczerinden veri g\u00f6ndermek gibi \u00e7e\u015fitli komutlar verebiliyorlar.<\/p>\n

MysterySnail\u2019in di\u011fer \u00f6zellikleri aras\u0131nda, ba\u011fl\u0131 s\u00fcr\u00fcc\u00fclerin listesini g\u00f6r\u00fcnt\u00fcleme, arka planda harici s\u00fcr\u00fcc\u00fclerin ba\u011flant\u0131s\u0131n\u0131 izleme ve daha fazlas\u0131 yer al\u0131yor. Truva At\u0131 ayr\u0131ca (cmd.exe dosyas\u0131n\u0131 farkl\u0131 bir adla ge\u00e7ici bir klas\u00f6re kopyalayarak) cmd.exe etkile\u015fimli kabu\u011funu da ba\u015flatabiliyor.<\/p>\n

CVE-2021-40449 \u00fczerinden ger\u00e7ekle\u015ftirilen sald\u0131r\u0131lar<\/h2>\n

Bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131, Microsoft Windows ailesindeki bir dizi i\u015fletim sisteminde kullan\u0131l\u0131yor: Vista, 7, 8, 8.1, Server 2008, Server 2008 R2, Server 2012, Server 2012 R2, Windows 10 (derleme 14393), Server 2016 (derleme 14393), 10 (derleme 17763) ve Server 2019 (derleme 17763). Uzmanlar\u0131m\u0131za g\u00f6re, g\u00fcvenlik a\u00e7\u0131\u011f\u0131, \u00f6zellikle i\u015fletim sisteminin sunucu s\u00fcr\u00fcmlerinde ayr\u0131cal\u0131klar\u0131 y\u00fckseltmek i\u00e7in bulunuyor.<\/p>\n

Tehdidin tespit edilmesinin ard\u0131ndan uzmanlar\u0131m\u0131z, a\u00e7\u0131\u011f\u0131n ve sisteme y\u00fckledi\u011fi MysterySnail k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n, BT \u015firketlerine, diplomatik kurulu\u015flara ve savunma sanayii i\u00e7in \u00e7al\u0131\u015fan \u015firketlere y\u00f6nelik casusluk operasyonlar\u0131nda yayg\u0131n bir \u015fekilde kullan\u0131ld\u0131\u011f\u0131n\u0131 belirlediler.<\/p>\n

Kaspersky Threat Attribution Engine sayesinde uzmanlar\u0131m\u0131z, MysterySnail\u2019in kodu ve i\u015flevleri ile IronHusky grubu taraf\u0131ndan kullan\u0131lan k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mlar aras\u0131nda benzerlikler buldu. Ayr\u0131ca, \u00c7ince konu\u015fan bir APT grubu 2012\u2019de, MysterySnail\u2019in C&C sunucu adreslerinden baz\u0131lar\u0131n\u0131 kullan\u0131yordu.<\/p>\n

Sald\u0131r\u0131n\u0131n ayr\u0131nt\u0131l\u0131 a\u00e7\u0131klamas\u0131 ve risk g\u00f6stergeleri de dahil olmak \u00fczere sald\u0131r\u0131 hakk\u0131nda daha fazla bilgi i\u00e7in Securelist g\u00f6nderimize g\u00f6z atabilirsiniz<\/a>.<\/p>\n

Kendinizi koruman\u0131n yollar\u0131<\/h2>\n

\u0130\u015fe Microsoft\u2019un en son yay\u0131nlad\u0131\u011f\u0131 yamalar\u0131<\/a> y\u00fckleyerek ba\u015flay\u0131n ve internet eri\u015fimi olan t\u00fcm bilgisayarlara, g\u00fcvenlik a\u00e7\u0131klar\u0131ndan yararlanmay\u0131 proaktif olarak tespit eden ve durduran g\u00fc\u00e7l\u00fc g\u00fcvenlik \u00e7\u00f6z\u00fcmleri y\u00fckleyerek gelecekteki s\u0131f\u0131r g\u00fcn g\u00fcvenlik a\u00e7\u0131klar\u0131ndan etkilenmekten kurtulun. CVE-2021-40449, Kaspersky Endpoint Security for Business<\/a>\u2018da da bulunan, Davran\u0131\u015f Tespiti Motoru ve A\u00e7\u0131klardan Yararlanma \u00d6nleme teknolojileri taraf\u0131ndan tespit edildi.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

G\u00fcvenlik teknolojilerimiz, Win32k s\u00fcr\u00fcc\u00fcs\u00fcnde \u00f6nceden bilinmeyen bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131ndan yararlan\u0131ld\u0131\u011f\u0131n\u0131 tespit etti.<\/p>\n","protected":false},"author":2581,"featured_media":10159,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1726,1194,1727],"tags":[969,790,1753,1986,2488,113],"class_list":{"0":"post-10158","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-enterprise","8":"category-business","9":"category-smb","10":"tag-aciklar","11":"tag-guvenlik-aciklari","12":"tag-rat","13":"tag-truva-atlari","14":"tag-uzaktan-erisim-truva-atlari","15":"tag-windows"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/mysterysnail-cve-2021-40449\/10158\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/mysterysnail-cve-2021-40449\/23490\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/mysterysnail-cve-2021-40449\/18967\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/mysterysnail-cve-2021-40449\/9499\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/mysterysnail-cve-2021-40449\/25567\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/mysterysnail-cve-2021-40449\/23639\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/mysterysnail-cve-2021-40449\/23102\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/mysterysnail-cve-2021-40449\/26246\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/mysterysnail-cve-2021-40449\/25784\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/mysterysnail-cve-2021-40449\/31702\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/mysterysnail-cve-2021-40449\/42448\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/mysterysnail-cve-2021-40449\/18275\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/mysterysnail-cve-2021-40449\/15406\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/mysterysnail-cve-2021-40449\/27564\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/mysterysnail-cve-2021-40449\/31798\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/mysterysnail-cve-2021-40449\/27720\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/mysterysnail-cve-2021-40449\/24480\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/mysterysnail-cve-2021-40449\/29842\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/mysterysnail-cve-2021-40449\/29640\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/guvenlik-aciklari\/","name":"g\u00fcvenlik a\u00e7\u0131klar\u0131"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10158","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/2581"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=10158"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10158\/revisions"}],"predecessor-version":[{"id":10164,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10158\/revisions\/10164"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/10159"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=10158"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=10158"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=10158"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}