{"id":10893,"date":"2022-08-01T12:45:32","date_gmt":"2022-08-01T09:45:32","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=10893"},"modified":"2022-08-01T12:45:32","modified_gmt":"2022-08-01T09:45:32","slug":"cosmicstrand-uefi-rootkit","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/cosmicstrand-uefi-rootkit\/10893\/","title":{"rendered":"CosmicStrand: Bir UEFI rootkit&#8217;i"},"content":{"rendered":"<p>Ara\u015ft\u0131rmac\u0131lar\u0131m\u0131z, bilgisayar a\u00e7\u0131ld\u0131\u011f\u0131nda ilk y\u00fcklenen ve i\u015fletim sisteminin \u00f6ny\u00fckleme s\u00fcrecini ba\u015flatan kod olan <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/uefi\/\" target=\"_blank\" rel=\"noopener\">UEFI<\/a>\u2018nin (Birle\u015fik Geni\u015fletilebilir \u00dcr\u00fcn Yaz\u0131l\u0131m\u0131 Arabirimi) de\u011fi\u015ftirilmi\u015f halinde bulduklar\u0131 <a href=\"https:\/\/securelist.com\/cosmicstrand-uefi-firmware-rootkit\/106973\/\" target=\"_blank\" rel=\"noopener\">yeni bir CosmicStrand rootkit\u2019i s\u00fcr\u00fcm\u00fcn\u00fc inceledi<\/a>.<\/p>\n<h2>UEFI k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mlar\u0131n\u0131n tehlikesi<\/h2>\n<p>UEFI \u00fcr\u00fcn yaz\u0131l\u0131m\u0131 anakarttaki bir \u00e7ipte g\u00f6m\u00fcl\u00fc oldu\u011fu ve sabit diske yaz\u0131l\u0131 olmad\u0131\u011f\u0131 i\u00e7in sabit disk manip\u00fclasyonlar\u0131na kar\u015f\u0131 ba\u011f\u0131\u015f\u0131kl\u0131\u011fa sahip. Bu y\u00fczden UEFI tabanl\u0131 k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mlardan kurtulmak \u00e7ok zor. S\u00fcr\u00fcc\u00fcy\u00fc silip i\u015fletim sistemini yeniden y\u00fckledi\u011finizde bile UEFI\u2019ye hi\u00e7 dokunmam\u0131\u015f oluyorsunuz. Ayn\u0131 sebepten \u00f6t\u00fcr\u00fc her g\u00fcvenlik \u00e7\u00f6z\u00fcm\u00fc UEFI\u2019de gizlenen k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mlar\u0131 tespit edemiyor. Basit\u00e7e s\u00f6ylemek gerekirse k\u00f6t\u00fc ama\u00e7l\u0131 bir yaz\u0131l\u0131m \u00fcr\u00fcn yaz\u0131l\u0131m\u0131na ula\u015fmay\u0131 ba\u015far\u0131rsa orada kal\u0131c\u0131 oluyor.<\/p>\n<p>Elbette UEFI\u2019ye vir\u00fcs bula\u015ft\u0131rmak kolay de\u011fil. Bunun i\u00e7in ya cihaza fiziksel eri\u015fim ya da \u00fcr\u00fcn yaz\u0131l\u0131m\u0131na uzaktan vir\u00fcs bula\u015ft\u0131rmaya y\u00f6nelik karma\u015f\u0131k bir mekanizma gerkiyor. Dahas\u0131, k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m nihai hedefi her neyse ona ula\u015fmak i\u00e7in yaln\u0131zca UEFI\u2019de kalm\u0131yor, a\u00e7\u0131l\u0131\u015fta i\u015fletim sistemine s\u0131z\u0131yor. Bu da i\u015fleri daha karma\u015f\u0131k hale getiriyor. T\u00fcm bunlar\u0131 ger\u00e7ekle\u015ftirmek b\u00fcy\u00fck \u00e7aba istiyor. Dolay\u0131s\u0131yla bu t\u00fcr k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mlarla genellikle y\u00fcksek profilli ki\u015fi veya kurumlara kar\u015f\u0131 d\u00fczenlenen hedefli sald\u0131r\u0131larda kar\u015f\u0131la\u015f\u0131yoruz.<\/p>\n<h2>CosmicStrand\u2019in kurbanlar\u0131 ve olas\u0131 bula\u015fma vekt\u00f6rleri<\/h2>\n<p>Enteresan \u015fekilde ara\u015ft\u0131rmac\u0131lar\u0131m\u0131z taraf\u0131ndan tespit edilen CosmicStrand kurbanlar\u0131 \u00fccretsiz antivir\u00fcs\u00fcm\u00fcz\u00fc kullanan s\u0131radan insanlard\u0131. Bu kalibredeki sald\u0131rganlar\u0131n ilgisini \u00e7ekecek herhangi bir kurulu\u015fla ilgileri yoktu. Ayr\u0131ca bilinen vakalar\u0131n hepsinde vir\u00fcs bula\u015fan anakartlar\u0131n yaln\u0131zca iki \u00fcreticiden geldi\u011fi ortaya \u00e7\u0131kt\u0131. Bu y\u00fczden, sald\u0131rganlar\u0131n bu anakartlarda UEFI\u2019ye vir\u00fcs bula\u015ft\u0131rmay\u0131 m\u00fcmk\u00fcn k\u0131lan ortak bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131 bulmu\u015f olma olas\u0131l\u0131\u011f\u0131 y\u00fcksek.<\/p>\n<p>Siber su\u00e7lular\u0131n k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131 tam olarak nas\u0131l bula\u015ft\u0131rd\u0131\u011f\u0131 bilinmiyor. Bu CosmicStrand kurbanlar\u0131n\u0131n b\u00fcy\u00fck hedefler olmamas\u0131, bu rootkit\u2019in arkas\u0131ndaki sald\u0131rganlar\u0131n UEFI\u2019ye uzaktan vir\u00fcs bula\u015ft\u0131rabildi\u011finin g\u00f6stergesi olabilir. Ancak ba\u015fka olas\u0131 a\u00e7\u0131klamalar da var. \u00d6rne\u011fin, 2016\u2019daki ilk CosmicStrand s\u00fcr\u00fcmlerini inceleyen Qihoo 360 uzmanlar\u0131, kurbanlardan birinin bir arac\u0131dan modifiye edilmi\u015f bir anakart sat\u0131n ald\u0131\u011f\u0131n\u0131 <a href=\"https:\/\/bbs.360.cn\/thread-14959110-1-1.html\" target=\"_blank\" rel=\"noopener nofollow\">\u00f6ne s\u00fcrm\u00fc\u015ft\u00fc<\/a>. Fakat bu olayda uzmanlar\u0131m\u0131z herhangi bir bula\u015ft\u0131rma y\u00f6ntemini do\u011frulayamad\u0131.<\/p>\n<h2>CosmicStrand ne yap\u0131yor<\/h2>\n<p>CosmicStrand\u2019in ana hedefi, i\u015fletim sistemi ba\u015flat\u0131l\u0131rken k\u00f6t\u00fc ama\u00e7l\u0131 bir program indirmek. Bu program daha sonras\u0131nda sald\u0131rganlar\u0131n belirledi\u011fi g\u00f6revleri yerine getiriyor. \u0130\u015fletim sisteminin \u00f6ny\u00fcklenme s\u00fcrecinde t\u00fcm a\u015famalar\u0131 ba\u015far\u0131yla ge\u00e7en rootkit, sonunda bir kabuk kodu y\u00fcr\u00fcterek sald\u0131rganlar\u0131n <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/command-and-control-server-cc\/\" target=\"_blank\" rel=\"noopener\">C2 sunucusuyla<\/a> ileti\u015fime ge\u00e7iyor ve buradan k\u00f6t\u00fc ama\u00e7l\u0131 bir y\u00fck al\u0131yor.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-10895 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/91\/2022\/08\/01123644\/cosmicstrand-uefi-rootkit-1.png\" alt=\"CosmicStrand rootkit'inin bula\u015fma zinciri\" width=\"493\" height=\"637\"><\/p>\n<p>\u00a0<\/p>\n<p>Ara\u015ft\u0131rmac\u0131lar\u0131m\u0131z rootkit\u2019in C2 sunucusundan ald\u0131\u011f\u0131 dosyay\u0131 ele ge\u00e7iremedi. Ancak vir\u00fcsl\u00fc makinelerden birinde ComicStrand ile ili\u015fkili olmas\u0131 muhtemel bir k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m par\u00e7as\u0131 buldular. Bu k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m, i\u015fletim sisteminde yerel y\u00f6netici haklar\u0131na sahip \u201caaaabbbb\u201d adl\u0131 bir kullan\u0131c\u0131 yarat\u0131yor. CosmicStrand hakk\u0131nda daha fazla teknik detay i\u00e7in ara\u015ft\u0131rmac\u0131lar\u0131m\u0131z\u0131n <a href=\"https:\/\/securelist.com\/cosmicstrand-uefi-firmware-rootkit\/106973\/\" target=\"_blank\" rel=\"noopener\">Securelist\u2019deki g\u00f6nderisini<\/a> inceleyebilirsiniz.<\/p>\n<h2>Rootkit\u2019lerden korkmal\u0131 m\u0131y\u0131z?<\/h2>\n<p>CosmicStrand 2016\u2019dan beri bilgi g\u00fcvenli\u011fi ara\u015ft\u0131rmac\u0131lar\u0131n\u0131n pek dikkatini \u00e7ekmeden siber su\u00e7lulara hizmet ediyor. Bu elbette endi\u015fe verici, fakat tamamen k\u00f6t\u00fc de de\u011fil. Birincisi, bazen g\u00f6r\u00fcn\u00fc\u015fte rastgele ki\u015filere bula\u015fsa da bu kitlesel de\u011fil, hedefli sald\u0131r\u0131lar i\u00e7in kullan\u0131lan karma\u015f\u0131k ve pahal\u0131 bir k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m \u00f6rne\u011fi. \u0130kincisi, bu t\u00fcr k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mlar\u0131 tespit edebilen g\u00fcvenlik \u00fcr\u00fcnleri var. \u00d6rne\u011fin bizim <a href=\"https:\/\/www.kaspersky.com.tr\/internet-security?icid=tr_kdailyplacehold_acq_ona_smm__onl_b2c_kasperskydaily_wpplaceholder____kismd___\" target=\"_blank\" rel=\"noopener\">g\u00fcvenlik \u00e7\u00f6z\u00fcmlerimiz<\/a> kullan\u0131c\u0131lar\u0131m\u0131z\u0131 rootkit\u2019lerden koruyor.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"gandalf30\">\n","protected":false},"excerpt":{"rendered":"<p>Uzmanlar\u0131m\u0131z UEFI \u00fcr\u00fcn yaz\u0131l\u0131m\u0131 i\u00e7erisinde ara\u015ft\u0131rmac\u0131lardan saklanan CosmicStrand rootkit&#8217;inin yeni bir s\u00fcr\u00fcm\u00fcn\u00fc ke\u015ffetti.<\/p>\n","protected":false},"author":2477,"featured_media":10894,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1351],"tags":[2568,627,2569,537,2289],"class_list":{"0":"post-10893","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-cosmicstrand","9":"tag-great","10":"tag-rootkit","11":"tag-tehditler","12":"tag-uefi"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/cosmicstrand-uefi-rootkit\/10893\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/cosmicstrand-uefi-rootkit\/24412\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/cosmicstrand-uefi-rootkit\/19878\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/cosmicstrand-uefi-rootkit\/10046\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/cosmicstrand-uefi-rootkit\/26807\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/cosmicstrand-uefi-rootkit\/24713\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/cosmicstrand-uefi-rootkit\/25108\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/cosmicstrand-uefi-rootkit\/27453\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/cosmicstrand-uefi-rootkit\/27118\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/cosmicstrand-uefi-rootkit\/33702\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/cosmicstrand-uefi-rootkit\/45017\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/cosmicstrand-uefi-rootkit\/19233\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/cosmicstrand-uefi-rootkit\/19787\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/cosmicstrand-uefi-rootkit\/29085\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/cosmicstrand-uefi-rootkit\/25300\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/cosmicstrand-uefi-rootkit\/30778\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/cosmicstrand-uefi-rootkit\/30524\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/rootkit\/","name":"rootkit"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10893","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/2477"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=10893"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10893\/revisions"}],"predecessor-version":[{"id":10897,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10893\/revisions\/10897"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/10894"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=10893"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=10893"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=10893"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}