{"id":4281,"date":"2017-10-17T17:48:39","date_gmt":"2017-10-17T14:48:39","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=4281"},"modified":"2017-10-24T18:21:38","modified_gmt":"2017-10-24T15:21:38","slug":"blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit\/4281\/","title":{"rendered":"BlackOasis APT ve s\u0131f\u0131r g\u00fcn a\u00e7\u0131\u011f\u0131ndan yararlanan yeni hedefli sald\u0131r\u0131lar"},"content":{"rendered":"<p>Kaspersky Intelligence Reporting Service m\u00fc\u015fterileri, BlackOasis APT hakk\u0131nda daha fazla bilgi edinebilir. \u0130leti\u015fim: intelreports@kaspersky.com<\/p>\n<h2>Giri\u015f<\/h2>\n<p>Kaspersky Lab, kullan\u0131c\u0131lar\u0131 korumak i\u00e7in her zaman sat\u0131c\u0131larla birlikte \u00e7al\u0131\u015fm\u0131\u015ft\u0131r. Yeni g\u00fcvenlik a\u00e7\u0131klar\u0131 buldu\u011fumuz anda sorumluluk bilinciyle sat\u0131c\u0131lar\u0131 bu konu hakk\u0131nda bilgilendirir ve onar\u0131m i\u00e7in gereken ayr\u0131nt\u0131lar\u0131 sa\u011flar\u0131z.<\/p>\n<p>10 Ekim 2017 tarihinde Kaspersky Lab\u2019in geli\u015fmi\u015f a\u00e7\u0131k (exploit) \u00f6nleme sistemleri, m\u00fc\u015fterilerimize kar\u015f\u0131 kullan\u0131lmakta olan yeni bir Adobe Flash s\u0131f\u0131r g\u00fcn a\u00e7\u0131\u011f\u0131 ke\u015ffetti. G\u00fcvenlik a\u00e7\u0131\u011f\u0131 bir Microsoft Office belgesi ile iletilmekteydi ve son zararl\u0131 y\u00fck de FinSpy k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n\u0131n yeni s\u00fcr\u00fcm\u00fcyd\u00fc. Hatay\u0131 Adobe\u2019a bildirdik ve onlarda bu hatay\u0131 <a href=\"https:\/\/helpx.adobe.com\/security\/products\/flash-player\/apsb17-32.html\" target=\"_blank\" rel=\"nofollow noopener\">CVE-2017-11292 olarak atad\u0131 ve d\u00fcn sabah bir yama yay\u0131nlad\u0131<\/a>:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4282\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/91\/2017\/10\/17171759\/1.png\" alt=\"\" width=\"1571\" height=\"631\"><\/p>\n<p>M\u00fc\u015fteri veri taban\u0131m\u0131zda \u015fimdiye kadar yaln\u0131zca tek bir sald\u0131r\u0131 g\u00f6zlemlendi. Bu nedenle sald\u0131r\u0131 say\u0131s\u0131n\u0131n az oldu\u011funa ve son derece hedefli oldu\u011funa kanaat getirdik.<\/p>\n<p>Zararl\u0131 y\u00fck analizi, bu sald\u0131r\u0131y\u0131 \u201cBlackOasis\u201d ad\u0131yla takip etti\u011fimiz bir akt\u00f6rle ili\u015fkilendirmemizi sa\u011flad\u0131. Ayr\u0131ca BlackOasis\u2019in Eyl\u00fcl 2017\u2019de FireEye taraf\u0131ndan ke\u015ffedilen bir ba\u015fka s\u0131f\u0131r g\u00fcn a\u00e7\u0131\u011f\u0131ndan da (CVE-2017-8759) sorumlu oldu\u011fundan son derece eminiz. Son sald\u0131r\u0131larda (CVE-2017-11292) kullan\u0131lan FinSpy zararl\u0131 y\u00fck\u00fc, <a href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2017\/09\/zero-day-used-to-distribute-finspy.html\" target=\"_blank\" rel=\"noopener nofollow\">FireEye<\/a> taraf\u0131ndan ortaya \u00e7\u0131kar\u0131lan CVE-2017-8759\u2019da kullan\u0131lan zararl\u0131 y\u00fckle ayn\u0131 komuta ve kontrol (C2) sunucunusu payla\u015fmaktad\u0131r.<\/p>\n<h2>BlackOasis Hakk\u0131ndaki Genel Bilgiler<\/h2>\n<p>BlackOasis\u2019in faaliyetlerini ilk kez May\u0131s 2016 tarihinde, ba\u015fka bir Adobe Flash s\u0131f\u0131r g\u00fcn a\u00e7\u0131\u011f\u0131n\u0131 ara\u015ft\u0131r\u0131rken fark ettik. 10 May\u0131s 2016 tarihinde, Adobe; Windows, Macintosh, Linux ve Chrome OS i\u00e7in Flash Player 21.0.0.226 ve daha \u00f6nceki s\u00fcr\u00fcmleri etkileyen bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131 (CVE-2016-4117) konusunda uyar\u0131larda <a href=\"https:\/\/helpx.adobe.com\/security\/products\/flash-player\/apsa16-02.html\" target=\"_blank\" rel=\"noopener nofollow\">bulundu<\/a>. G\u00fcvenlik a\u00e7\u0131\u011f\u0131ndan yararlan\u0131lmaya devam edilmekteydi.<\/p>\n<p>Kaspersky Lab, 8 May\u0131s 2016 tarihinde \u00e7oklu tarama sistemine y\u00fcklenen ve bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131ndan yararlanan bir \u00f6rnek tespit etmeyi ba\u015farm\u0131\u015ft\u0131. RTF belgesi format\u0131ndaki bu \u00f6rnek, uzaktaki komuta ve kontrol sunucusundan bir program indirmek ve y\u00fcklemek i\u00e7in CVE-2016-4117 a\u00e7\u0131\u011f\u0131ndan yararlan\u0131yordu. Sald\u0131r\u0131n\u0131n zararl\u0131 y\u00fck\u00fc art\u0131k komuta ve kontrol sunucunda olmamas\u0131na ra\u011fmen ayn\u0131 sunucu birden \u00e7ok FinSpy y\u00fckleme paketini bar\u0131nd\u0131rmaktayd\u0131.<\/p>\n<p>Kaspersky Security Network\u2019den edindi\u011fimiz verilerinden yararlanarak Haziran 2015 tarihinde BlackOasis taraf\u0131ndan kullan\u0131lan iki adet benzer a\u00e7\u0131k zinciri tespit ettik. Bu zincirler de o d\u00f6nemde s\u0131f\u0131r g\u00fcn a\u00e7\u0131klar\u0131yd\u0131. Bunlar s\u0131ras\u0131yla Haziran 2015 ve \u015eubat 2016 tarihlerinde yama uygulanan CVE-2015-5119 ve CVE-2016-0984 a\u00e7\u0131klar\u0131yd\u0131. Bu a\u00e7\u0131k zincirleri de FinSpy y\u00fckleme paketleri i\u00e7eriyordu.<\/p>\n<p>BlackOasis\u2019in yararlanma a\u011f\u0131n\u0131n ke\u015ffedilmesinden bu yana faaliyetlerini ve hedeflerini daha iyi anlamak amac\u0131yla bu tehdit akt\u00f6r\u00fcn\u00fc takip etmeye ba\u015flad\u0131k ve baz\u0131 yeni sald\u0131r\u0131lar g\u00f6rd\u00fck. Bu sald\u0131r\u0131larda kullan\u0131lan baz\u0131 tuzak belgeler a\u015fa\u011f\u0131da g\u00f6sterilmi\u015ftir:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4283\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/91\/2017\/10\/17172019\/171016-blackoasis-1.png\" alt=\"\" width=\"1570\" height=\"1467\"><\/p>\n<div id=\"attachment_4284\" style=\"width: 1580px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-4284\" class=\"wp-image-4284 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/91\/2017\/10\/17172108\/171016-blackoasis-2.png\" alt=\"\" width=\"1570\" height=\"1467\"><p id=\"caption-attachment-4284\" class=\"wp-caption-text\">BlackOasis sald\u0131r\u0131lar\u0131nda kullan\u0131lan sahte belgeler<\/p><\/div>\n<p>\u00a0<\/p>\n<p>\u00d6zetle, BlackOasis\u2019in Haziran 2015 tarihinden bu yana en az be\u015f s\u0131f\u0131r g\u00fcn a\u00e7\u0131\u011f\u0131 kulland\u0131\u011f\u0131n\u0131 g\u00f6rd\u00fck.<\/p>\n<ul>\n<li>CVE-2015-5119 \u2013 Haziran 2015<\/li>\n<li>CVE-2016-0984 \u2013 Haziran 2015<\/li>\n<li>CVE-2016-4117 \u2013 May\u0131s 2016<\/li>\n<li>CVE-2017-8759 \u2013 Eyl\u00fcl 2017<\/li>\n<li>CVE-2017-11292 \u2013 Ekim 2017<\/li>\n<li>CVE-2017-11292<\/li>\n<\/ul>\n<h2>A\u00e7\u0131\u011f\u0131n\u0131 Kullanan Sald\u0131r\u0131lar<\/h2>\n<p>Sald\u0131r\u0131 bir Office belgesinin iletilmesiyle, bu vakada muhtemelen e-posta arac\u0131l\u0131\u011f\u0131yla, ba\u015flar. Bu belgeye, Flash g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 i\u00e7eren bir ActiveX nesnesi yerle\u015ftirilmi\u015ftir.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4285\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/91\/2017\/10\/17172255\/171016-blackoasis-3.png\" alt=\"\" width=\"303\" height=\"421\"><\/p>\n<div id=\"attachment_4286\" style=\"width: 710px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-4286\" class=\"wp-image-4286 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/91\/2017\/10\/17172309\/171016-blackoasis-4.png\" alt=\"\" width=\"700\" height=\"319\"><p id=\"caption-attachment-4286\" class=\"wp-caption-text\">.docx dosyas\u0131ndaki Flash nesnesi s\u0131k\u0131\u015ft\u0131r\u0131lmam\u0131\u015f bi\u00e7imde saklan\u0131r.<\/p><\/div>\n<p>\u00a0<\/p>\n<p>Flash nesnesi, di\u011fer FinSpy a\u00e7\u0131klar\u0131nda da g\u00f6r\u00fclen \u00f6zel bir paketleyiciyi kullanarak g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 ay\u0131klamakla g\u00f6revli bir ActionScprit i\u00e7erir.<\/p>\n<div id=\"attachment_4287\" style=\"width: 773px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-4287\" class=\"wp-image-4287 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/91\/2017\/10\/17172335\/171016-blackoasis-5.png\" alt=\"\" width=\"763\" height=\"298\"><p id=\"caption-attachment-4287\" class=\"wp-caption-text\">SWF g\u00fcvenlik a\u00e7\u0131\u011f\u0131 i\u00e7in paketi a\u00e7ma rutini<\/p><\/div>\n<p>\u00a0<\/p>\n<p>A\u00e7\u0131k, \u201c<strong>com.adobe.tvsdk.mediacore.BufferControlParameters<\/strong>\u201d s\u0131n\u0131f\u0131nda bulunan bir bellek bozulmas\u0131 g\u00fcvenlik a\u00e7\u0131\u011f\u0131d\u0131r. A\u00e7\u0131ktan yararlanma ba\u015far\u0131l\u0131 olursa, bellek i\u00e7inde iste\u011fe ba\u011fl\u0131 okuma\/yazma i\u015flemleri ger\u00e7ekle\u015ftirebilir. Bu sayede ikinci a\u015fama \u201cshellcode\u201d y\u00fcr\u00fct\u00fclebilir.<\/p>\n<p>\u0130lk a\u015fama shellcode, alternatif talimatlara sahip ilgin\u00e7 bir NOP sled (k\u0131za\u011f\u0131) i\u00e7erir. Bu, muhtemelen flash dosyalar\u0131n i\u00e7inde b\u00fcy\u00fck NOP bloklar\u0131 arayan antivir\u00fcs \u00fcr\u00fcnlerinin tespitini \u00f6nleyecek \u015fekilde tasarlanm\u0131\u015ft\u0131r.<\/p>\n<div id=\"attachment_4288\" style=\"width: 1347px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-4288\" class=\"wp-image-4288 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/91\/2017\/10\/17172614\/171016-blackoasis-6.png\" alt=\"\" width=\"1337\" height=\"683\"><p id=\"caption-attachment-4288\" class=\"wp-caption-text\">0x90 ve 0x91 i\u015flem kodundan olu\u015fan NOP sled (k\u0131za\u011f\u0131)<\/p><\/div>\n<p>\u00a0<\/p>\n<p>\u0130lk shellcode\u2019un as\u0131l amac\u0131 ikinci a\u015fama shelcode\u2019u hxxp:\/\/89.45.67[.]107\/rss\/5uzosoff0u.iaf.\u2019den indirmektir.<\/p>\n<div id=\"attachment_4289\" style=\"width: 703px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-4289\" class=\"wp-image-4289 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/91\/2017\/10\/17172646\/171016-blackoasis-7.png\" alt=\"\" width=\"693\" height=\"624\"><p id=\"caption-attachment-4289\" class=\"wp-caption-text\">\u0130kinci a\u015fama shellcode<\/p><\/div>\n<p>\u00a0<\/p>\n<p>Bundan sonra ikinci a\u015fama shellcode a\u015fa\u011f\u0131daki eylemleri ger\u00e7ekle\u015ftirir:<\/p>\n<ol>\n<li>Son zararl\u0131 y\u00fcl\u00fc (FinSpy) hxxp:\/\/89.45.67[.]107\/rss\/mo.exe adresinden indirir.<\/li>\n<li>Ayn\u0131 IP\u2019den kurban\u0131n g\u00f6sterilecek tuzak belgeyi indirir.<\/li>\n<li>Zararl\u0131 y\u00fck\u00fc \u00e7al\u0131\u015ft\u0131r\u0131r ve tuzak belgeyi g\u00f6sterir.<\/li>\n<\/ol>\n<h2>Zararl\u0131 y\u00fck \u2013 mo.exe<\/h2>\n<p>Daha \u00f6nce belirtildi\u011fi \u00fczere \u201cmo.exe\u201d y\u00fck\u00fc (MD5: 4a49135d2ecc07085a8b7c5925a36c0a) Gamma International\u2019a ait FinSpy k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n\u0131n en yeni s\u00fcr\u00fcm\u00fcd\u00fcr. Bu, genellikle yasal g\u00f6zetleme i\u015flemlerinde kullan\u0131lmas\u0131 i\u00e7in devletlere ve di\u011fer kolluk kuvvetlerine sat\u0131l\u0131r. Bu yeni s\u00fcr\u00fcme, kodun \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131 i\u00e7in \u00f6zel bir paketleyici ve sanal makine i\u00e7ermesi amac\u0131yla analize kar\u015f\u0131 koruma teknikleri eklenmi\u015ftir. Bu nedenle ara\u015ft\u0131rmac\u0131lar\u0131n k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131 analiz etmesi olduk\u00e7a zorla\u015fm\u0131\u015ft\u0131r.<\/p>\n<p>Sanal makinenin PCODE\u2019u, aplib paketleyici ile paketlenmi\u015ftir.<\/p>\n<div id=\"attachment_4290\" style=\"width: 598px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-4290\" class=\"wp-image-4290 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/91\/2017\/10\/17172740\/171016-blackoasis-8.png\" alt=\"\" width=\"588\" height=\"275\"><p id=\"caption-attachment-4290\" class=\"wp-caption-text\">Paketlenmi\u015f sanal makine PCODE\u2019unun bir par\u00e7as\u0131<\/p><\/div>\n<p>\u00a0<\/p>\n<p>Paketin a\u00e7\u0131lmas\u0131ndan sonra PCODE \u015fu \u015fekilde g\u00f6r\u00fcn\u00fcr:<\/p>\n<div id=\"attachment_4291\" style=\"width: 623px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-4291\" class=\"wp-image-4291 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/91\/2017\/10\/17172809\/171016-blackoasis-9.png\" alt=\"\" width=\"613\" height=\"445\"><p id=\"caption-attachment-4291\" class=\"wp-caption-text\">Paketi a\u00e7\u0131lm\u0131\u015f PCODE<\/p><\/div>\n<p>\u00a0<\/p>\n<p>Paketin a\u00e7\u0131lmas\u0131ndan sonra sanal makine PCODE\u2019unun \u015fifresi \u00e7\u00f6z\u00fcl\u00fcr:<\/p>\n<div id=\"attachment_4292\" style=\"width: 607px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-4292\" class=\"wp-image-4292 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/91\/2017\/10\/17172854\/171016-blackoasis-10.png\" alt=\"\" width=\"597\" height=\"301\"><p id=\"caption-attachment-4292\" class=\"wp-caption-text\">\u015eifresi \u00e7\u00f6z\u00fclm\u00fc\u015f sanal makine PCODE\u2019u<\/p><\/div>\n<p>\u00a0<\/p>\n<p>\u00d6zel sanal makine toplamda 34 y\u00f6nerge destekler:<\/p>\n<div id=\"attachment_4293\" style=\"width: 859px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-4293\" class=\"wp-image-4293 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/91\/2017\/10\/17172944\/171016-blackoasis-11.png\" alt=\"\" width=\"849\" height=\"220\"><p id=\"caption-attachment-4293\" class=\"wp-caption-text\">\u00c7\u00f6z\u00fcmlenmi\u015f PCODE \u00f6rne\u011fi<\/p><\/div>\n<p>\u00a0<\/p>\n<p>Bu \u00f6rnekte \u201c1b\u201d y\u00f6nergesi, parametre alan\u0131nda belirtilen yerel kodu y\u00fcr\u00fctmekle g\u00f6revlidir.<\/p>\n<p>Y\u00fck ba\u015far\u0131l\u0131 bir \u015fekilde y\u00fcr\u00fct\u00fcld\u00fc\u011f\u00fcne dosyalar\u0131 a\u015fa\u011f\u0131daki konumlara kopyalamaya ba\u015flar:<\/p>\n<ol>\n<li>C:\\ProgramData\\ManagerApp\\AdapterTroubleshooter.exe<\/li>\n<li>C:\\ProgramData\\ManagerApp\\15b937.cab<\/li>\n<li>C:\\ProgramData\\ManagerApp\\install.cab<\/li>\n<li>C:\\ProgramData\\ManagerApp\\msvcr90.dll<\/li>\n<li>C:\\ProgramData\\ManagerApp\\d3d9.dll<\/li>\n<\/ol>\n<p>\u201cAdapterTroubleshooter.exe\u201d dosyas\u0131, \u00fcnl\u00fc DLL arama s\u0131ras\u0131 sald\u0131r\u0131s\u0131n\u0131 (DLL search order hijacking) kullanmak i\u00e7in yararlan\u0131lan ge\u00e7erli bir ikilidir. \u201cd3d9.dll\u201d dosyas\u0131, k\u00f6t\u00fc ama\u00e7l\u0131d\u0131r ve y\u00fcr\u00fctmeden sonra ge\u00e7erli ikili taraf\u0131ndan belle\u011fe y\u00fcklenir. Y\u00fcklendikten sonra DLL, FinSpy yaz\u0131l\u0131m\u0131n\u0131 Winlogon prosesine ekler.<\/p>\n<div id=\"attachment_4294\" style=\"width: 836px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-4294\" class=\"wp-image-4294 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/91\/2017\/10\/17173052\/171016-blackoasis-12.png\" alt=\"\" width=\"826\" height=\"202\"><p id=\"caption-attachment-4294\" class=\"wp-caption-text\">Winlogon prosesine eklenen kodun bir par\u00e7as\u0131<\/p><\/div>\n<p>\u00a0<\/p>\n<p>Y\u00fck, daha \u00e7ok kontrol ve veri s\u0131z\u0131nt\u0131s\u0131 i\u00e7in 3 komuta ve kontrol sunucusunu devreye sokar. Daha \u00f6nceki di\u011fer FinSpy y\u00fcklerinde komuta ve kontrol sunucular\u0131ndan ikisinin kullan\u0131ld\u0131\u011f\u0131n\u0131 g\u00f6zlemledik. Bu komuta ve kontrol sunucular\u0131ndan biri yak\u0131n zamanda, FireEye taraf\u0131ndan Eyl\u00fcl 2017 tarihinde bildirilen sald\u0131r\u0131lar i\u00e7in CVE-2017-8759 ile birlikte kullan\u0131lm\u0131\u015ft\u0131r. Bu IP\u2019ler ve \u00f6nceki \u00f6rnekler, FinSpy eyleminin BlackOasis APT k\u00fcmesiyle yak\u0131ndan ili\u015fkilidir.<\/p>\n<h2>Hedef Alma ve Kurbanlar<\/h2>\n<p>BlackOasis\u2019in ilgi alanlar\u0131, Orta Do\u011fu siyasetinde rol oynayan ve b\u00f6lgeyle ili\u015fkili \u015fah\u0131slardan olu\u015fan geni\u015f bir skalay\u0131 kapsar. Bunlara Birle\u015fmi\u015f Milletler\u2019deki \u00f6nemli \u015fah\u0131slar, muhalif bloggerlar, aktivistler ve b\u00f6lgesel haber muhabirleri dahildir. 2016 y\u0131l\u0131nda Angola\u2019n\u0131n \u00f6nemli bir ilgi oda\u011f\u0131 oldu\u011funu g\u00f6zlemledik. Hedeflerin petrol, para aklama ve di\u011fer yasad\u0131\u015f\u0131 faaliyetlerle \u015f\u00fcpheli ili\u015fkileri oldu\u011funu belirten tuzak belgelerde bunun \u00f6rneklerini g\u00f6rd\u00fck. Ayr\u0131ca uluslararas\u0131 aktivistlere ve d\u00fc\u015f\u00fcnce kurulu\u015flar\u0131na da yo\u011fun bir ilgi var.<\/p>\n<p>\u015eu \u00fclkelerde BlackOasis sald\u0131r\u0131s\u0131na maruz kalan \u015fah\u0131slar oldu\u011fu g\u00f6zlemlendi: Rusya, Irak, Afganistan, Nijerya, Libya, \u00dcrd\u00fcn, Tunus, Suudi Arabistan, \u0130ran, Hollanda, Bahreyn, Birle\u015fik Krall\u0131k ve Angola.<\/p>\n<h2>Sonu\u00e7<\/h2>\n<p>2015\u2019in ortalar\u0131nda HackingTeam\u2019e yap\u0131lan sald\u0131r\u0131n\u0131n g\u00f6zetim ara\u00e7lar\u0131 piyasas\u0131nda bir bo\u015fluk olu\u015fturdu\u011fu ve bu bo\u015flu\u011fun ba\u015fka \u015firketler taraf\u0131ndan dolduruldu\u011fu d\u00fc\u015f\u00fcn\u00fclmektedir. Bu \u015firketlerden biri de FinFisher ara\u00e7 tak\u0131mlar\u0131yla Gamma International olmu\u015ftur. Gamma International\u2019\u0131n kendisi de 2014 y\u0131l\u0131nda Phineas Fisher taraf\u0131ndan hacklenmesine ra\u011fmen g\u00fcvenlik ihlali HackingTeam vakas\u0131ndaki kadar ciddi de\u011fildi. Ayr\u0131ca Gamma\u2019n\u0131n sald\u0131r\u0131dan sonra eski haline d\u00f6nmesi ve di\u011ferlerine yeti\u015fmesi i\u00e7in iki y\u0131l\u0131 vard\u0131.<\/p>\n<p>Bu makalede a\u00e7\u0131klananlara benzer, s\u0131f\u0131r g\u00fcn a\u00e7\u0131klar\u0131yla desteklenen FinFisher yaz\u0131l\u0131m\u0131na dayal\u0131 sald\u0131r\u0131 say\u0131s\u0131n\u0131n artaca\u011f\u0131n\u0131 d\u00fc\u015f\u00fcn\u00fcyoruz.<\/p>\n<p>Bu herkes i\u00e7in ne anlam ifade eder ve s\u0131f\u0131r g\u00fcn a\u00e7\u0131klar\u0131 dahil olmak \u00fczere bu t\u00fcr sald\u0131r\u0131lara kar\u015f\u0131 nas\u0131l korunabiliriz?<\/p>\n<p>CVE-2017-11292 ve benzer g\u00fcvenlik a\u00e7\u0131klar\u0131 i\u00e7in, kurumlar <a href=\"https:\/\/answers.microsoft.com\/en-us\/windows\/forum\/windows_8-update\/flashplayer-updates\/cd258a3f-cd87-4ea9-bdb6-074d06ad491e?auth=1\" target=\"_blank\" rel=\"noopener nofollow\">killbit<\/a> ile uyumlu uygulamalarda bu a\u00e7\u0131klar\u0131 devre d\u0131\u015f\u0131 b\u0131rakmak i\u00e7in Flash\u2019a y\u00f6nelik killbit kullanabilir. Maalesef, Flash nesneleri Killbit\u2019e uymama ihtimali olan uygulamalara y\u00fcklenebilece\u011fi i\u00e7in bunu sistem genelinde uygulamak zordur. Ayr\u0131ca bu, Flash\u2019e dayal\u0131 di\u011fer gerekli kaynaklar\u0131n bozulmas\u0131na neden olabilir ve \u00fc\u00e7\u00fcnc\u00fc taraf yaz\u0131l\u0131mlar i\u00e7in a\u00e7\u0131klara kar\u015f\u0131 koruma sa\u011flamaz.<br>\nEri\u015fim ilkeleri, anti vir\u00fcs, a\u011f izleme ve beyaz listeye alma \u00f6zelliklerini i\u00e7eren \u00e7ok katmanl\u0131 bir yakla\u015f\u0131m\u0131 devreye sokmak m\u00fc\u015fterilerin bu t\u00fcr tehditlere kar\u015f\u0131 korunmas\u0131n\u0131 sa\u011flar. Kaspersky \u00fcr\u00fcnlerinin kullan\u0131c\u0131lar\u0131 a\u015fa\u011f\u0131daki tespitlerden biri sayesinde bu tehdide kar\u015f\u0131 korunur.&lt;\/p style=\u201dmargin-bottom:0!important\u201d&gt;<\/p>\n<ul>\n<li>PDM:Exploit.Win32.Generic<\/li>\n<li>HEUR:Exploit.SWF.Generic<\/li>\n<li>HEUR:Exploit.MSOffice.Generic<\/li>\n<\/ul>\n<p>Kaspersky Intelligence Reporting Service m\u00fc\u015fterileri, BlackOasis APT hakk\u0131nda daha fazla bilgi edinebilir. \u0130leti\u015fim: intelreports@kaspersky.com<\/p>\n<h2>Te\u015fekk\u00fcr<\/h2>\n<p>Bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 tan\u0131mlamak ve yama uygulamak konusunda bizimle \u00e7al\u0131\u015ft\u0131\u011f\u0131 i\u00e7in Adobe \u00dcr\u00fcnleri G\u00fcvenlik Olay\u0131 Yan\u0131t Ekibi\u2019ne (PSIRT) te\u015fekk\u00fcr ederiz.<\/p>\n<h2>Referanslar<\/h2>\n<p>1. Adobe G\u00fcvenlik B\u00fclteni <a href=\"https:\/\/helpx.adobe.com\/security\/products\/flash-player\/apsb17-32.html\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/helpx.adobe.com\/security\/products\/flash-player\/apsb17-32.html<\/a><\/p>\n<h2>Risk g\u00f6stergeleri<\/h2>\n<p>4a49135d2ecc07085a8b7c5925a36c0a<br>\n89.45.67[.]107<\/p>\n","protected":false},"excerpt":{"rendered":"<p>10 Ekim 2017 tarihinde Kaspersky Lab&#8217;in geli\u015fmi\u015f a\u00e7\u0131k (exploit) \u00f6nleme sistemleri, m\u00fc\u015fterilerimize kar\u015f\u0131 kullan\u0131lmakta olan yeni bir Adobe Flash s\u0131f\u0131r g\u00fcn a\u00e7\u0131\u011f\u0131 ke\u015ffetti. G\u00fcvenlik a\u00e7\u0131\u011f\u0131 bir Microsoft Office belgesi ile iletilmekteydi ve son zararl\u0131 y\u00fck de FinSpy k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n\u0131n yeni s\u00fcr\u00fcm\u00fcyd\u00fc. Hatay\u0131 Adobe&#8217;a bildirdik ve onlarda bu hatay\u0131 CVE-2017-11292 olarak atad\u0131 ve d\u00fcn sabah bir yama yay\u0131nlad\u0131:<\/p>\n","protected":false},"author":312,"featured_media":4296,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1287,1351],"tags":[389,493,1394,1393,727,1392],"class_list":{"0":"post-4281","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-adobe","10":"tag-apt","11":"tag-blackoasis","12":"tag-microsoft-word","13":"tag-sifirinci-gun","14":"tag-zero-day"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit\/4281\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/apt\/","name":"APT"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/4281","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/312"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=4281"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/4281\/revisions"}],"predecessor-version":[{"id":4298,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/4281\/revisions\/4298"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/4296"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=4281"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=4281"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=4281"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}