{"id":11023,"date":"2022-09-15T15:31:41","date_gmt":"2022-09-15T12:31:41","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=11023"},"modified":"2022-09-15T15:31:41","modified_gmt":"2022-09-15T12:31:41","slug":"genshin-driver-attack","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/genshin-driver-attack\/11023\/","title":{"rendered":"\u015eirkete sald\u0131rmak i\u00e7in sald\u0131r\u0131 arac\u0131na d\u00f6n\u00fc\u015ft\u00fcr\u00fclen oyun kodu"},"content":{"rendered":"<p>Eyl\u00fcl 2020\u2019de PC ve konsollar i\u00e7in piyasaya s\u00fcr\u00fclen aksiyon-macera video oyunu <a href=\"https:\/\/tr.wikipedia.org\/wiki\/Genshin_Impact\" target=\"_blank\" rel=\"noopener nofollow\"><em>Genshin Impact<\/em><\/a>\u2018\u0131n yarat\u0131c\u0131s\u0131, miHoYo Limited of China. Windows s\u00fcr\u00fcm\u00fcnde, oyun hilelerini \u00f6nlemek i\u00e7in tasarlanm\u0131\u015f <em>mhyprot2.sys<\/em> adl\u0131 bir s\u00fcr\u00fcc\u00fcn\u00fcn bulundu\u011fu bir mod\u00fcl mevcut. Bu mod\u00fcl, oyunun savunma mekanizmas\u0131na geni\u015f sistem ayr\u0131cal\u0131klar\u0131 sa\u011fl\u0131yor. Ayr\u0131ca, hak sahibi oldu\u011funu g\u00f6steren dijital bir imzaya sahip. Bu mod\u00fcl, yerle\u015fik k\u0131s\u0131tlamalar\u0131 a\u015fmay\u0131 sa\u011flayan ara\u00e7lar\u0131n tespiti ve engellenmesi i\u00e7in oyun gereksinimlerinden biri. Beklenmeyen \u015fey ise, hackerlar\u0131n s\u00fcr\u00fcc\u00fcy\u00fc kullanabilecekleri ba\u015fka bir y\u00f6ntem ke\u015ffetmi\u015f olmas\u0131.<\/p>\n<p>A\u011fustos 2022\u2019de Trend Micro, kurumsal altyap\u0131ya y\u00f6nelik ola\u011fand\u0131\u015f\u0131 bir sald\u0131r\u0131y\u0131 konu edinen bir <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/h\/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html\" target=\"_blank\" rel=\"noopener nofollow\">rapor <\/a>yay\u0131nlad\u0131. Sald\u0131r\u0131da bahsi ge\u00e7en \u00f6zel s\u00fcr\u00fcc\u00fc <em>mhyprot2.sys<\/em> kullan\u0131ld\u0131. K\u0131saca, bir hacker grubu, s\u00fcr\u00fcc\u00fcn\u00fcn sa\u011flad\u0131\u011f\u0131 s\u0131n\u0131rs\u0131z sistem ayr\u0131cal\u0131klar\u0131n\u0131 ve ilgili yasal dijital sertifikay\u0131 hedefli bir sald\u0131r\u0131 i\u00e7in ara\u00e7 olarak kullanabilece\u011finin fark\u0131na vard\u0131. \u00dcstelik oyunu y\u00fcklemeseniz bile kurban olabilirsiniz.<\/p>\n<h2>Te\u011fet ge\u00e7ilen koruma<\/h2>\n<p>Hackerlar\u0131n kurumsal altyap\u0131ya s\u0131zmak i\u00e7in kulland\u0131klar\u0131 ilk y\u00f6ntemden bahsetmeyen rapor, ad\u0131 bilinmeyen bir kurbana yap\u0131lan sald\u0131r\u0131y\u0131 ayr\u0131nt\u0131lar\u0131 bir \u015fekilde ele al\u0131yor. Bildi\u011fimiz tek \u015fey, domain denetleyicisine RDP \u00fczerinden eri\u015fmek i\u00e7in g\u00fcvenli\u011fi ihlal edilmi\u015f bir y\u00f6netici hesab\u0131 kulland\u0131klar\u0131. Hackerlar, sadece denetleyiciden veri \u00e7almakla kalmay\u0131p, antivir\u00fcs gibi gizledikleri k\u00f6t\u00fc ama\u00e7l\u0131 bir y\u00fckleyici ile birlikte payla\u015f\u0131lan bir klas\u00f6r de yerle\u015ftirdiler. Sald\u0131rganlar, dosyay\u0131 i\u015f istasyonlar\u0131ndan birine y\u00fcklemek i\u00e7in grup ilkelerinden faydaland\u0131lar. Bu da muhtemelen, i\u015fletmedeki t\u00fcm bilgisayarlara yap\u0131lacak olan toplu bula\u015fman\u0131n bir provas\u0131yd\u0131.<\/p>\n<p>Ancak k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131 i\u015f istasyonuna y\u00fckleme giri\u015fimi ba\u015far\u0131s\u0131zl\u0131kla sonu\u00e7land\u0131. Verileri \u015fifrelemesi gereken mod\u00fcl (hemen ard\u0131ndan fidye talebi bekleniyor) \u00e7al\u0131\u015fmad\u0131. Dolay\u0131s\u0131yla, sald\u0131rganlar da mod\u00fcl\u00fc manuel ba\u015flatmak zorunda kald\u0131. Yine de, <em>Genshin Impact<\/em>\u2018in tamamen yasal s\u00fcr\u00fcc\u00fcs\u00fc <em>mhyprot2.sys<\/em>\u2018i kurmay\u0131 ba\u015fard\u0131lar. Sisteme yerle\u015ftirdikleri ba\u015fka bir yard\u0131mc\u0131 yaz\u0131l\u0131m, k\u00f6t\u00fc ama\u00e7l\u0131 kodun y\u00fcklenmesini engelleyebilecek i\u015flemler hakk\u0131nda veri toplad\u0131.<\/p>\n<p>\u00a0<\/p>\n<div id=\"attachment_11025\" style=\"width: 174px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-11025\" class=\"wp-image-11025 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/91\/2022\/09\/15152623\/genshin-driver-attack-processes.jpg\" alt=\"\" width=\"164\" height=\"480\"><p id=\"caption-attachment-11025\" class=\"wp-caption-text\">Oyun s\u00fcr\u00fcc\u00fcs\u00fcn\u00fcn zorla durdurdu\u011fu i\u015flemlerin listesi <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/h\/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html\" target=\"_blank\" rel=\"nofollow noopener\">Kaynak<\/a>.<\/p><\/div>\n<p>\u00a0<\/p>\n<p>Bilgisayarda aktif g\u00fcvenlik \u00e7\u00f6z\u00fcmleri de dahil, listedeki t\u00fcm i\u015flemler <em>mhyprot2.sys <\/em>s\u00fcr\u00fcc\u00fcs\u00fc taraf\u0131ndan tek tek durduruldu. Sistem savunmas\u0131ndan kurtulduktan sonra, as\u0131l k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m arac\u0131 \u00e7al\u0131\u015fmaya ba\u015flad\u0131, dosyalar\u0131 \u015fifreledi ve bir fidye notu b\u0131rakt\u0131.<\/p>\n<h2>S\u0131radan bir hack de\u011fil<\/h2>\n<p>Pop\u00fcler bir bilgisayar oyununun par\u00e7as\u0131 olarak da\u011f\u0131t\u0131lan, temelde yasal olan bir yaz\u0131l\u0131m\u0131n nas\u0131l k\u00f6t\u00fcye kullan\u0131ld\u0131\u011f\u0131n\u0131 \u00f6rneklendirdi\u011fi i\u00e7in bu olay olduk\u00e7a ilgin\u00e7. Trend Micro, sald\u0131r\u0131da kullan\u0131lan <em>mhyprot2.sys<\/em> s\u00fcr\u00fcc\u00fcs\u00fcn\u00fcn A\u011fustos 2020\u2019de, yani oyunun ilk s\u00fcr\u00fcm\u00fcn\u00fcn piyasaya s\u00fcr\u00fclmesinden k\u0131sa bir s\u00fcre \u00f6nce imzaland\u0131\u011f\u0131n\u0131 fark etti. Siber su\u00e7lular, k\u00f6t\u00fc ama\u00e7l\u0131 programlar\u0131 imzalamak veya yasal yaz\u0131l\u0131mlardaki g\u00fcvenlik a\u00e7\u0131klar\u0131ndan faydalanmak i\u00e7in \u00e7al\u0131nt\u0131 \u00f6zel sertifikalar\u0131 kullan\u0131rlar. Ancak bu durumda, hackerlar s\u00fcr\u00fcc\u00fcn\u00fcn normal \u00f6zelliklerinden, yani RAM\u2019e tam eri\u015fim ve sistemdeki herhangi bir i\u015flemi durdurma \u00f6zelliklerinden faydaland\u0131lar. Bu tarz yasal programlar, izleme ara\u00e7lar\u0131n\u0131n g\u00f6z\u00fcnden kolayca ka\u00e7abilirler. Bu da, kurumsal altyap\u0131 y\u00f6neticisi i\u00e7in ayr\u0131ca bir risk anlam\u0131na gelir.<\/p>\n<p><em>Genshin Impact<\/em> kullan\u0131c\u0131lar\u0131n\u0131n <em>mhyprot2.sys\u2019in ola\u011fand\u0131\u015f\u0131 davran\u0131\u015flar\u0131n\u0131 fark etmeleri biraz zaman ald\u0131.<\/em> Mod\u00fcl, oyun bilgisayardan kald\u0131r\u0131ld\u0131ktan sonra bile sistemde kalmaya devam etti. Bu da, oyunu indiren \u015fimdiki ve \u00f6nceki t\u00fcm kullan\u0131c\u0131lar\u0131n, bir \u015fekilde savunmas\u0131z oldu\u011fu ve bilgisayarlar\u0131na sald\u0131r\u0131lmas\u0131n\u0131n daha kolay oldu\u011fu anlam\u0131na geliyor. \u0130lgin\u00e7 olan \u015fu: 2020 y\u0131l\u0131n\u0131n Ekim ay\u0131na kadar uzanan mesaj panolar\u0131nda, mod\u00fcl\u00fcn kapsaml\u0131 \u00f6zelliklerini ve dijital imzay\u0131 da k\u00f6t\u00fcye kullanarak, s\u00fcr\u00fcc\u00fcn\u00fcn anti-cheat sistemlerinin nas\u0131l istismar edilebilece\u011fi hakk\u0131nda yap\u0131lan doland\u0131r\u0131c\u0131 <a href=\"https:\/\/www.unknowncheats.me\/forum\/anti-cheat-bypass\/419457-mhyprot2-read-process-kernel-memory-valid-signature-driver-2.html\" target=\"_blank\" rel=\"noopener nofollow\">tart\u0131\u015fmalar\u0131<\/a>n\u0131 g\u00f6rmek m\u00fcmk\u00fcn.<\/p>\n<p>Bu durum, y\u00fckseltilmi\u015f ayr\u0131cal\u0131klara sahip yaz\u0131l\u0131m geli\u015ftiricilerinin sistem haklar\u0131n\u0131 dikkatli kullanmalar\u0131 i\u00e7in bir hat\u0131rlatma olmal\u0131d\u0131r. Aksi durumda kodlar, koruma sa\u011flamak yerine siber sald\u0131r\u0131lar i\u00e7in kullan\u0131labilir. Ge\u00e7ti\u011fimiz yaz, <em>Genshin Impact<\/em> geli\u015ftiricileri, s\u00fcr\u00fcc\u00fcyle ilgili olas\u0131 sorunlar hakk\u0131nda bilgilendirildi. Ancak mod\u00fcl\u00fcn tehlikeli davran\u0131\u015f\u0131n\u0131n bir soruna sebep oldu\u011funu d\u00fc\u015f\u00fcnmediler. Ayr\u0131ca, 2022 A\u011fustos\u2019unun sonunda dijital imzan\u0131n ge\u00e7erlili\u011fi hala devam ediyordu.<\/p>\n<h2>\u015eirketler i\u00e7in \u00f6neriler<\/h2>\n<p>Yukar\u0131daki senaryoyla, hem potansiyel olarak tehlikeli s\u00fcr\u00fcc\u00fcy\u00fc izleme listenize ekleyebilir hem de kapsaml\u0131 savunma \u00f6zellikleri olan <a href=\"https:\/\/www.kaspersky.com.tr\/small-to-medium-business-security?icid=tr_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">g\u00fcvenlik \u00f6nlemlerinden<\/a> faydalanarak ba\u015far\u0131l\u0131 olabilecek bir sald\u0131r\u0131 riskini azaltabilirsiniz. Hackerlar\u0131n ilk \u00f6nce domain denetleyicisine eri\u015fim sa\u011flad\u0131\u011f\u0131n\u0131 unutmay\u0131n. Yani, bu durum zaten ba\u015f\u0131ndan beri tehlikeliydi. K\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mlar\u0131n \u015firket a\u011f\u0131nda daha fazla yay\u0131lmas\u0131n\u0131 sa\u011flamak i\u00e7in daha az yarat\u0131c\u0131 hilelere ba\u015fvurabilirlerdi.<\/p>\n<p>\u00c7al\u0131\u015fan bilgisayarlar\u0131na y\u00fcklenen oyunlar\u0131n tespitinin, sadece \u00fcretkenlik s\u00f6z konusu oldu\u011funda \u00f6nem arz eder. <em>Genshin Impact<\/em> anti-cheat olay\u0131, \u201cgereksiz\u201d programlar\u0131n sadece dikkat da\u011f\u0131tmakla kalmay\u0131p, ekstra bir g\u00fcvenlik riski olu\u015fturabilece\u011fini de g\u00f6steriyor. Potansiyel g\u00fcvenlik a\u00e7\u0131\u011f\u0131 bulunan yaz\u0131l\u0131mlara dahil oluyorlar ve di\u011fer baz\u0131 durumlarda ise, g\u00fcvenlik \u00e7eperine do\u011frudan tehlikeli kodlar\u0131 bula\u015ft\u0131r\u0131yorlar.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-trial-leadgen\">\n","protected":false},"excerpt":{"rendered":"<p>Oyunun yasal kodunu sald\u0131r\u0131 arac\u0131na d\u00f6n\u00fc\u015ft\u00fcren ola\u011fand\u0131\u015f\u0131 bir sald\u0131r\u0131 olay\u0131. <\/p>\n","protected":false},"author":665,"featured_media":11024,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1726,1194,1727],"tags":[2581,503,2580],"class_list":{"0":"post-11023","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-enterprise","8":"category-business","9":"category-smb","10":"tag-anti-cheat","11":"tag-guvenlik-acigi","12":"tag-surucu"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/genshin-driver-attack\/11023\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/genshin-driver-attack\/24581\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/genshin-driver-attack\/20047\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/genshin-driver-attack\/27034\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/genshin-driver-attack\/24938\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/genshin-driver-attack\/25303\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/genshin-driver-attack\/27639\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/genshin-driver-attack\/33982\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/genshin-driver-attack\/45494\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/genshin-driver-attack\/19468\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/genshin-driver-attack\/20052\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/genshin-driver-attack\/29295\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/genshin-driver-attack\/25454\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/genshin-driver-attack\/30988\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/genshin-driver-attack\/30683\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/guvenlik-acigi\/","name":"G\u00fcvenlik A\u00e7\u0131\u011f\u0131"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/11023","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/665"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=11023"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/11023\/revisions"}],"predecessor-version":[{"id":11026,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/11023\/revisions\/11026"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/11024"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=11023"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=11023"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=11023"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}