{"id":8032,"date":"2020-04-03T12:48:40","date_gmt":"2020-04-03T09:48:40","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=8032"},"modified":"2020-04-03T12:48:40","modified_gmt":"2020-04-03T09:48:40","slug":"holy-water-apt","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/holy-water-apt\/8032\/","title":{"rendered":"Tehlikeli Holy Water"},"content":{"rendered":"<p>2019\u2019un sonunda, uzmanlar\u0131m\u0131z hedefli bir sald\u0131r\u0131y\u0131 ortaya \u00e7\u0131karmak i\u00e7in <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/watering-hole\/?utm_source=kdaily&amp;utm_medium=blog&amp;utm_campaign=termin-explanation\" target=\"_blank\" rel=\"noopener noreferrer\">su kayna\u011f\u0131 tekni\u011fini<\/a> kulland\u0131lar. Sald\u0131rganlar, herhangi bir karma\u015f\u0131k hileye ba\u015fvurmadan veya herhangi bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131ndan yararlanmadan en az sekiz ayl\u0131k bir s\u00fcre boyunca Asya\u2019daki kullan\u0131c\u0131 cihazlar\u0131na vir\u00fcs bula\u015ft\u0131rd\u0131. K\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131 yaymak i\u00e7in kullan\u0131lan web sitelerinin konular\u0131 temel al\u0131narak sald\u0131r\u0131 ilk kez kullan\u0131ld\u0131. Evet, bahsetti\u011fimiz sald\u0131r\u0131 Holy Water sald\u0131r\u0131s\u0131. Bu, birka\u00e7 ay i\u00e7inde bu t\u00fcr taktiklerin kullan\u0131ld\u0131\u011f\u0131 bizim ke\u015ffetti\u011fimiz ikinci sald\u0131r\u0131. (ara\u015ft\u0131rmac\u0131lar\u0131m\u0131z\u0131n di\u011fer bulgular\u0131 i\u00e7in <a href=\"https:\/\/www.kaspersky.com\/blog\/lightspy-watering-hole-attack\/34501\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">buraya bak\u0131n<\/a>)<\/p>\n<h2>Holy Water kullan\u0131c\u0131lar\u0131n cihazlar\u0131na nas\u0131l bula\u015ft\u0131?<\/h2>\n<p>G\u00f6r\u00fcn\u00fc\u015fe g\u00f6re sald\u0131rganlar dini fig\u00fcrlere, kamu kurulu\u015flar\u0131na ve hay\u0131r kurumlar\u0131na ait Web sayfalar\u0131n\u0131 bar\u0131nd\u0131ran bir sunucuya sald\u0131rd\u0131lar. Siber su\u00e7lular, bu sayfalar\u0131n koduna k\u00f6t\u00fc ama\u00e7l\u0131 komut dosyalar\u0131 yerle\u015ftirdiler ve bu komutlar daha sonra sald\u0131r\u0131lar\u0131 ger\u00e7ekle\u015ftirmek i\u00e7in kullan\u0131ld\u0131.<\/p>\n<p>Kullan\u0131c\u0131lar vir\u00fcsl\u00fc bir sayfay\u0131 ziyaret etti\u011finde, komut dosyalar\u0131 ziyaret\u00e7iler hakk\u0131nda veri toplay\u0131p bu verileri do\u011frulamak amac\u0131yla \u00fc\u00e7\u00fcnc\u00fc taraf bir sunucuya iletmek i\u00e7in tamamen yasal ara\u00e7lar kulland\u0131lar. Ma\u011fdurlar\u0131n nas\u0131l se\u00e7ildi\u011fini bilmiyoruz. Fakat siber su\u00e7lular\u0131n ziyaret\u00e7ilerden ald\u0131\u011f\u0131 bilgilere g\u00f6re hedef umut verdiyse, sunucunun sald\u0131r\u0131ya devam etmek i\u00e7in bir komut g\u00f6nderdi\u011fini d\u00fc\u015f\u00fcn\u00fcyoruz.<\/p>\n<p>Bir sonraki ad\u0131m, on y\u0131ldan uzun bir s\u00fcredir kullan\u0131lan k\u00fc\u00e7\u00fck bir numara i\u00e7eriyor: Kullan\u0131c\u0131dan, eski oldu\u011fu ve g\u00fcvenlik riski olu\u015fturdu\u011fu s\u00f6ylenen Adobe Flash Player\u2019\u0131 g\u00fcncellemesi isteniyor. Hedef g\u00fcncellemeyi yapmay\u0131 kabul ederse, vaat edilen g\u00fcncelleme yerine Godlike12 arka kap\u0131s\u0131 indirilip bilgisayara kuruluyordu.<\/p>\n<h2>Godlike12 Tehlikesi<\/h2>\n<p>Sald\u0131r\u0131y\u0131 yapan ki\u015fi, hem kurbanlar\u0131n\u0131n profilini \u00e7\u0131karmak hem de k\u00f6t\u00fc ama\u00e7l\u0131 kodu, arka kap\u0131 GitHub\u2019da belirtildi, saklamak i\u00e7in yasal hizmetleri aktif olarak kullan\u0131yordu. Arka kap\u0131 Google Drive \u00fczerinden C&amp;C sunucular\u0131 ile haberle\u015fiyordu.<\/p>\n<p>Arka kap\u0131, Google Drive depolama alan\u0131na bir tan\u0131mlay\u0131c\u0131 yerle\u015ftirdi ve sald\u0131rganlar\u0131n komutlar\u0131n\u0131 kontrol etmek i\u00e7in d\u00fczenli olarak arama yap\u0131yordu. Bu t\u00fcr komutlar\u0131n y\u00fcr\u00fctme sonu\u00e7lar\u0131 da oraya y\u00fckleniyordu. Uzmanlar\u0131m\u0131za g\u00f6re, sald\u0131r\u0131n\u0131n amac\u0131 vir\u00fcsl\u00fc cihazlardan ke\u015fif ve bilgi toplamakt\u0131.<\/p>\n<p>Teknik ayr\u0131nt\u0131lar ve kullan\u0131lan ara\u00e7larla ilgilenenler i\u00e7in, <a href=\"https:\/\/securelist.com\/holy-water-ongoing-targeted-water-holing-attack-in-asia\/96311\/\" target=\"_blank\" rel=\"noopener\">Securelist\u2019teki Holy Water<\/a> hakk\u0131ndaki ve ayn\u0131 zamanda uzla\u015fma g\u00f6stergelerini de listeleyen g\u00f6nderisine g\u00f6z at\u0131n.<\/p>\n<h2>Holy Water\u2019a kar\u015f\u0131 nas\u0131l korunmal\u0131<\/h2>\n<p>Holy Water vakas\u0131n\u0131 \u015fimdiye kadar sadece Asya\u2019da g\u00f6rd\u00fck. Ancak, bu s\u00fcre\u00e7te kullan\u0131lan ara\u00e7lar olduk\u00e7a basittir ve ba\u015fka bir yere kolayca yerle\u015ftirilebilir. Bu nedenle, konumlar\u0131ndan ba\u011f\u0131ms\u0131z olarak t\u00fcm kullan\u0131c\u0131lar\u0131n bu \u00f6nerileri ciddiye almas\u0131n\u0131 \u00f6neririz.<\/p>\n<p>Sald\u0131r\u0131n\u0131n belirli ki\u015fi veya kurulu\u015flara y\u00f6nelik olup olmad\u0131\u011f\u0131n\u0131 s\u00f6yleyemeyiz. Ancak kesin olan bir \u015fey var: Herkes vir\u00fcs bula\u015fan siteleri hem ev hem de i\u015f cihazlar\u0131ndan ziyaret edebilir. Bu nedenle, tavsiyemiz \u0130nternet eri\u015fimi olan t\u00fcm cihazlar\u0131 korumakt\u0131r. Hem <a href=\"http:\/\/kas.pr\/kdksctr\" target=\"_blank\" rel=\"noopener\">ki\u015fisel<\/a> hem de <a href=\"https:\/\/kas.pr\/kdkesbtr\" target=\"_blank\" rel=\"noopener\">kurumsal<\/a> bilgisayarlar i\u00e7in g\u00fcvenlik \u00e7\u00f6z\u00fcmleri sunuyoruz. \u00dcr\u00fcnlerimiz, Holy Water\u2019\u0131n yarat\u0131c\u0131lar\u0131n\u0131n kulland\u0131\u011f\u0131 t\u00fcm ara\u00e7 ve teknikleri alg\u0131lar ve engeller.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-b2b\">\n","protected":false},"excerpt":{"rendered":"<p>Sald\u0131rganlar kullan\u0131c\u0131lar\u0131n bilgisayarlar\u0131na arka kap\u0131 olarak Adobe Flash Player g\u00fcncellemesini kullan\u0131yor.<\/p>\n","protected":false},"author":700,"featured_media":8033,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1726,1194],"tags":[493,615,2167],"class_list":{"0":"post-8032","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-enterprise","8":"category-business","9":"tag-apt","10":"tag-hedefli-saldiri","11":"tag-su-kaynagi"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/holy-water-apt\/8032\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/holy-water-apt\/19986\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/holy-water-apt\/16266\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/holy-water-apt\/21323\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/holy-water-apt\/19567\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/holy-water-apt\/18311\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/holy-water-apt\/22296\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/holy-water-apt\/21203\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/holy-water-apt\/27912\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/holy-water-apt\/34552\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/holy-water-apt\/14564\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/holy-water-apt\/14665\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/holy-water-apt\/13254\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/holy-water-apt\/23551\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/holy-water-apt\/25238\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/holy-water-apt\/21959\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/holy-water-apt\/27182\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/holy-water-apt\/27020\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/apt\/","name":"APT"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/8032","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/700"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=8032"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/8032\/revisions"}],"predecessor-version":[{"id":8035,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/8032\/revisions\/8035"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/8033"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=8032"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=8032"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=8032"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}