{"id":6113,"date":"2019-07-08T10:56:50","date_gmt":"2019-07-08T07:56:50","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=6113"},"modified":"2019-11-15T14:27:19","modified_gmt":"2019-11-15T11:27:19","slug":"sodin-msp-ransomware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/sodin-msp-ransomware\/6113\/","title":{"rendered":"Sodin fidye yaz\u0131l\u0131m\u0131, MSP’ler arac\u0131l\u0131\u011f\u0131yla giriyor"},"content":{"rendered":"

Mart ay\u0131n\u0131n sonunda bir Y\u00f6netilen Hizmet Sa\u011flay\u0131c\u0131s\u0131n\u0131n (MSP) m\u00fc\u015fterilerine y\u00f6nelik d\u00fczenlenen GandCrab fidye yaz\u0131l\u0131m\u0131 sald\u0131r\u0131s\u0131ndan bahsederken<\/a>, bunun m\u00fcnferit bir olay olamayaca\u011f\u0131n\u0131 s\u00f6ylemi\u015ftik. Y\u00f6netilen Hizmet Sa\u011flay\u0131c\u0131lar (MSP), siber su\u00e7lular\u0131n g\u00f6zard\u0131 edemeyece\u011fi kadar \u00e7ekici hedefler.<\/p>\n

G\u00f6r\u00fcn\u00fc\u015fe bak\u0131l\u0131rsa hakl\u0131 \u00e7\u0131kt\u0131k. Nisan ay\u0131nda, Sodin ad\u0131 verilen bir fidye yaz\u0131l\u0131m\u0131 uzmanlar\u0131m\u0131z\u0131n dikkatini \u00e7ekti. Bu fidye yaz\u0131l\u0131m\u0131, MSP g\u00fcvenlik sistemlerindeki bo\u015fluklar\u0131 kullanman\u0131n yan\u0131 s\u0131ra Oracle WebLogic platformunun g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 da k\u00f6t\u00fcye kullanmas\u0131yla di\u011ferlerinden ayr\u0131l\u0131yordu. Ayr\u0131ca fidye yaz\u0131l\u0131mlar\u0131 genellikle kullan\u0131c\u0131n\u0131n kat\u0131l\u0131m\u0131na ihtiya\u00e7 duyarken (\u00f6rne\u011fin, kurban\u0131n kimlik av\u0131 mektubundaki bir dosyay\u0131 a\u00e7mas\u0131 gerekir) bu sefer kullan\u0131c\u0131n\u0131n herhangi bir \u015fey yapmas\u0131 gerekmiyordu.<\/p>\n

Bu fidye yaz\u0131l\u0131m\u0131 hakk\u0131ndaki teknik ayr\u0131nt\u0131lar\u0131 bu Securelist g\u00f6nderisinden<\/a> okuyabilirsiniz. Bizce bu k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n en ilgin\u00e7 taraf\u0131, yay\u0131lma y\u00f6ntemi.<\/p>\n

Sodin\u2019in yay\u0131lma y\u00f6ntemleri<\/h2>\n

Sald\u0131rganlar k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131 WebLogic \u00fczerinden yaymak amac\u0131yla, g\u00fcvenlik a\u00e7\u0131\u011f\u0131 bulunan bir Oracle WebLogic<\/a> sunucusunda PowerShell komutu vermek i\u00e7in CVE-2019-2725 zafiyetini kulland\u0131. B\u00f6ylece sunucuya bir dropper (dosya y\u00fckleyici) y\u00fckleyebildiler; bu dropper da ard\u0131ndan Sodin fidye yaz\u0131l\u0131m\u0131n\u0131 kurdu. Bu hataya y\u00f6nelik yamalar Nisan ay\u0131nda yay\u0131nlanm\u0131\u015ft\u0131, fakat Haziran\u2019\u0131n sonunda benzer bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131 daha ke\u015ffedildi: CVE-2019-2729.<\/p>\n

MSP kullan\u0131lan sald\u0131r\u0131larda Sodin, kullan\u0131c\u0131lar\u0131n makinelerine farkl\u0131 yollarla giriyor. En az \u00fc\u00e7 sa\u011flay\u0131c\u0131n\u0131n kullan\u0131c\u0131lar\u0131 bu Truva At\u0131n\u0131n kurban\u0131 oldu bile. DarkReading<\/a>\u2018de yer alan bir habere g\u00f6re, sald\u0131rganlar baz\u0131 vakalarda Truva At\u0131n\u0131 yaymak i\u00e7in Webroot ve Kaseya uzaktan eri\u015fim konsollar\u0131n\u0131 kullanm\u0131\u015f. Geri kalan vakalarda ise, Reddit<\/a>\u2018te anlat\u0131ld\u0131\u011f\u0131 \u00fczere sald\u0131rganlar, RDP ba\u011flant\u0131s\u0131 kullanarak MSP altyap\u0131s\u0131na s\u0131zm\u0131\u015f; ayr\u0131cal\u0131kl\u0131 izinleri kald\u0131rm\u0131\u015f; g\u00fcvenlik \u00e7\u00f6z\u00fcmlerini ve yedeklemeleri devre d\u0131\u015f\u0131 b\u0131rakm\u0131\u015f; ard\u0131ndan fidye yaz\u0131l\u0131m\u0131 m\u00fc\u015fterilerin bilgisayarlar\u0131na indirmi\u015f.<\/p>\n

Hizmet sa\u011flay\u0131c\u0131lar ne yapmal\u0131<\/h2>\n

\u00d6ncelikle uzaktan eri\u015fim i\u00e7in \u015fifre depolama i\u015fini ciddiye al\u0131n ve m\u00fcmk\u00fcn olan her durumda iki a\u015famal\u0131 kimlik do\u011frulama kullan\u0131n. Hem Kaseya hem de Webroot uzaktan eri\u015fim konsollar\u0131, iki a\u015famal\u0131 kimlik do\u011frulamay\u0131 destekliyor. Dahas\u0131 geli\u015ftiriciler, olay\u0131n ard\u0131ndan iki a\u015famal\u0131 do\u011frulama kullanmay\u0131 zorunlu hale getirmeye ba\u015flad\u0131. G\u00f6rd\u00fc\u011f\u00fcn\u00fcz gibi, Sodin\u2019i yayan sald\u0131rganlar yakalad\u0131klar\u0131 hi\u00e7bir f\u0131rsat\u0131 ka\u00e7\u0131rmam\u0131\u015f; MSP sa\u011flay\u0131c\u0131lar \u00fczerinden k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m yayman\u0131n \u00e7e\u015fitli yollar\u0131n\u0131 aram\u0131\u015flar. Bu y\u00fczden bu alanda kullan\u0131lan di\u011fer t\u00fcm ara\u00e7lar\u0131 da dikkatle incelemek \u00f6nemli. Her zaman s\u00f6yledi\u011fimiz gibi, RDP eri\u015fimi yaln\u0131zca son \u00e7are olarak kullan\u0131lmal\u0131.<\/p>\n

MSPler, \u00f6zellikle de siber g\u00fcvenlik hizmetleri sunanlar, kendi altyap\u0131lar\u0131n\u0131 korumaya m\u00fc\u015fterilerin altyap\u0131s\u0131n\u0131 korumaktan bile daha fazla \u00f6nem vermeli. Kaspersky, MSPlerin kendilerini ve m\u00fc\u015fterilerini korumas\u0131 i\u00e7in \u015funlar\u0131 \u00f6neriyor<\/a>.<\/p>\n

Di\u011fer \u015firketler ne yapmal\u0131<\/h2>\n

Elbette yaz\u0131l\u0131m g\u00fcncelleme yine en \u00f6nemli i\u015flerden biri. Aylar \u00f6nce ke\u015ffedilen ve kapat\u0131lan bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131ndan altyap\u0131n\u0131za k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m s\u0131zmas\u0131, ger\u00e7ekten utan\u00e7 verici bir g\u00f6z g\u00f6re g\u00f6re hata yapma \u00f6rne\u011fi.<\/p>\n

Oracle WebLogic kullanan \u015firketler \u00f6ncelikle her iki g\u00fcvenlik a\u00e7\u0131\u011f\u0131 i\u00e7in de (CVE-2019-2725<\/a> ve CVE-2019-2729<\/a>) yay\u0131nlanan Oracle Security Alert tavsiye raporlar\u0131n\u0131 incelemeli.<\/p>\n

Ayr\u0131ca fidye yaz\u0131l\u0131mlar\u0131n\u0131 tespit edip i\u015f istasyonlar\u0131n\u0131 bunlardan koruyabilen alt sistemlere sahip g\u00fcvenilir g\u00fcvenlik \u00e7\u00f6z\u00fcmler<\/a> kullanmalar\u0131 da ak\u0131ll\u0131ca olacakt\u0131r.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Bu fidye yaz\u0131l\u0131m\u0131, kurbanlar\u0131n sistemlerine bula\u015f\u0131p bu sistemleri \u015fifrelemek i\u00e7in y\u00f6netilen hizmet sa\u011flay\u0131c\u0131lar\u0131n\u0131n altyap\u0131lar\u0131ndaki veya Oracle Weblogic’deki zaafiyetleri kullan\u0131yor.<\/p>\n","protected":false},"author":2506,"featured_media":6114,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1194,1727],"tags":[591,1545],"class_list":{"0":"post-6113","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-fidye-yazilimi","10":"tag-msp"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/sodin-msp-ransomware\/6113\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/sodin-msp-ransomware\/16108\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/sodin-msp-ransomware\/13616\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/sodin-msp-ransomware\/18005\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/sodin-msp-ransomware\/16142\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/sodin-msp-ransomware\/14883\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/sodin-msp-ransomware\/18805\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/sodin-msp-ransomware\/17561\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/sodin-msp-ransomware\/23051\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/sodin-msp-ransomware\/27530\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/sodin-msp-ransomware\/11924\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/sodin-msp-ransomware\/12167\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/sodin-msp-ransomware\/10922\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/sodin-msp-ransomware\/19677\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/sodin-msp-ransomware\/23581\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/sodin-msp-ransomware\/18638\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/sodin-msp-ransomware\/22925\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/sodin-msp-ransomware\/22866\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/fidye-yazilimi\/","name":"Fidye Yaz\u0131l\u0131m\u0131"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/6113","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/2506"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=6113"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/6113\/revisions"}],"predecessor-version":[{"id":6765,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/6113\/revisions\/6765"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/6114"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=6113"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=6113"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=6113"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}