{"id":8652,"date":"2020-08-06T12:07:09","date_gmt":"2020-08-06T09:07:09","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=8652"},"modified":"2020-08-06T12:07:09","modified_gmt":"2020-08-06T09:07:09","slug":"lazarus-vhd-ransomware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/lazarus-vhd-ransomware\/8652\/","title":{"rendered":"Yeni fidye yaz\u0131l\u0131m\u0131 ile Lazarus deneyleri"},"content":{"rendered":"

Lazarus grubu, her zaman APT sald\u0131r\u0131lar\u0131na \u00f6zg\u00fc ancak finansal siber su\u00e7lar konusunda uzmanla\u015fm\u0131\u015f y\u00f6ntemleri kullanmakla tan\u0131n\u0131yor. Son zamanlarda, uzmanlar\u0131m\u0131z, Lazarus\u2019un denedi\u011fi yeni, daha \u00f6nce ke\u015ffedilmemi\u015f VHD k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mlar\u0131 tespit etti.<\/p>\n

\u0130\u015flevsel olarak, VHD olduk\u00e7a standart bir fidye yaz\u0131l\u0131m\u0131d\u0131r. Kurban\u0131n bilgisayar\u0131na ba\u011fl\u0131 s\u00fcr\u00fcc\u00fcler aras\u0131na s\u0131zar, dosyalar\u0131 \u015fifreler ve t\u00fcm Sistem Birim Bilgisi klas\u00f6rlerini siler. B\u00f6ylece Windows\u2019ta Sistem Geri Y\u00fckleme giri\u015fimlerini sabote eder. Dahas\u0131, \u00f6nemli dosyalar\u0131 de\u011fi\u015fiklikten (Microsoft Exchange veya SQL Server gibi) koruyabilecek i\u015flemleri ask\u0131ya alabilir.<\/p>\n

Ama as\u0131l ilgin\u00e7 olan durum, VHD\u2019nin hedef bilgisayarlara nas\u0131l ula\u015ft\u0131\u011f\u0131d\u0131r. \u00c7\u00fcnk\u00fc da\u011f\u0131t\u0131m mekanizmalar\u0131n\u0131n APT sald\u0131r\u0131lar\u0131yla daha fazla ortak noktas\u0131 vard\u0131r. Uzmanlar\u0131m\u0131z ge\u00e7ti\u011fimiz g\u00fcnlerde birka\u00e7 VHD vakas\u0131n\u0131 ara\u015ft\u0131rd\u0131 ve her bir vakada sald\u0131rganlar\u0131n hareketlerini analiz etti.<\/p>\n

Ma\u011fdurun a\u011f\u0131 \u00fczerinden yanal hareket<\/h2>\n

\u0130lk vakada uzmanlar\u0131m\u0131z\u0131n dikkatini VHD\u2019yi hedef a\u011f \u00fczerinden yayan k\u00f6t\u00fc ama\u00e7l\u0131 koda \u00e7ekti. Fidye yaz\u0131l\u0131m\u0131, kurban\u0131n bilgisayarlar\u0131n\u0131n IP adreslerinin yan\u0131 s\u0131ra y\u00f6netici haklar\u0131na sahip hesaplar i\u00e7in kimlik bilgilerine sahip oldu\u011fu ortaya \u00e7\u0131kt\u0131. Bu verileri KOB\u0130 hizmetine kaba kuvvet sald\u0131r\u0131lar\u0131 i\u00e7in kullan\u0131yor. K\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m, SMB protokol\u00fcn\u00fc kullanarak ba\u015fka bir bilgisayar\u0131n a\u011f klas\u00f6r\u00fcne ba\u011flanmay\u0131 ba\u015fard\u0131ysa o makineyi de \u015fifreleyerek kendisini kopyalay\u0131p y\u00fcr\u00fct\u00fcr.<\/p>\n

Bu t\u00fcr davran\u0131\u015flar, toplu fidye yaz\u0131l\u0131mlar\u0131 i\u00e7in \u00e7ok tipik bir \u00f6zellik de\u011fildir. Daha \u00e7ok APT kampanyalar\u0131n\u0131n karakteristik \u00f6zelli\u011fi olan kurban\u0131n altyap\u0131s\u0131n\u0131n en az\u0131ndan \u00f6n ke\u015fifini \u00f6nerir.<\/p>\n

Enfeksiyon zinciri<\/h2>\n

K\u00fcresel Acil Durum M\u00fcdahale Ekibimiz bir ara\u015ft\u0131rma s\u0131ras\u0131nda bu fidye yaz\u0131l\u0131m\u0131yla bir daha kar\u015f\u0131la\u015ft\u0131\u011f\u0131nda, bu sefer t\u00fcm enfeksiyon zincirini takip edebildi. Ekibimizin s\u00f6ylediklerine g\u00f6re siber su\u00e7lular:<\/p>\n

    \n
  1. Savunmas\u0131z bir VPN a\u011f ge\u00e7idinden yararlanarak kurbanlar\u0131n sistemlerine eri\u015fim sa\u011fland\u0131;<\/li>\n
  2. G\u00fcvenli\u011fi ihlal edilen makinelerde y\u00f6netici haklar\u0131 elde edildi;<\/li>\n
  3. Bir arka kap\u0131 kurdu;<\/li>\n
  4. Active Directory sunucusunun denetimini ele ge\u00e7irdi;<\/li>\n
  5. G\u00f6rev i\u00e7in \u00f6zel olarak yaz\u0131lm\u0131\u015f bir y\u00fckleyici kullanarak VHD fidye yaz\u0131l\u0131m\u0131 ile a\u011fdaki t\u00fcm bilgisayarlara bula\u015ft\u0131.<\/li>\n<\/ol>\n

    Kullan\u0131lan ara\u00e7lar\u0131n detayl\u0131 analizi, arka kap\u0131n\u0131n \u00e7ok platformlu MATA \u00e7er\u00e7evesinin (baz\u0131 meslekta\u015flar\u0131m\u0131z Dacls olarak adland\u0131r\u0131yor) bir par\u00e7as\u0131 oldu\u011funu g\u00f6sterdi<\/a>. Bunun ba\u015fka bir Lazarus arac\u0131 oldu\u011fu sonucuna vard\u0131k.<\/p>\n

    Securelist blogumuzdaki ilgili bir makalede<\/a>, bu ara\u00e7lar\u0131n risk G\u00f6stergesi ile birlikte ayr\u0131nt\u0131l\u0131 bir teknik analizini bulabilirsiniz.<\/p>\n

    \u015eirketinizi nas\u0131l korursunuz<\/h2>\n

    VHD fidye yaz\u0131l\u0131m\u0131 akt\u00f6rleri, kurumsal bilgisayarlara bir \u015fifreleyici bula\u015ft\u0131\u011f\u0131nda olduk\u00e7a ba\u015far\u0131l\u0131 olur. Bu k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m korsan forumlar\u0131nda genellikle bulunmaz. Bunun yerine, \u00f6zellikle hedefli sald\u0131r\u0131lar i\u00e7in geli\u015ftirilmi\u015ftir. Ma\u011fdurun altyap\u0131s\u0131na n\u00fcfuz etmek ve a\u011f i\u00e7inde yaymak i\u00e7in kullan\u0131lan teknikler, karma\u015f\u0131k APT sald\u0131r\u0131lar\u0131n\u0131 hat\u0131rl\u0131yor.<\/p>\n

    Finansal siber su\u00e7 ara\u00e7lar\u0131 ve APT sald\u0131r\u0131lar\u0131 aras\u0131ndaki s\u0131n\u0131rlar\u0131n kademeli olarak kaybolmas\u0131, k\u00fc\u00e7\u00fck \u015firketlerin bile daha geli\u015fmi\u015f g\u00fcvenlik teknolojileri kullanmay\u0131 d\u00fc\u015f\u00fcnmeleri gerekti\u011fini g\u00f6steriyor. Bunu akl\u0131m\u0131zda tutarak son zamanlarda hem U\u00e7 Nokta Koruma Platformu (EPP) hem de U\u00e7 Nokta Tespit ve Yan\u0131t (EDR) i\u015flevselli\u011fine sahip entegre bir \u00e7\u00f6z\u00fcm sunduk. \u00c7\u00f6z\u00fcm hakk\u0131nda \u00f6zel sayfas\u0131nda<\/a> hakk\u0131nda daha fazla bilgi edinebilirsiniz.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

    Lazarus siber su\u00e7 grubu, VHD fidye yaz\u0131l\u0131mlar\u0131n\u0131 yaymak i\u00e7in geleneksel APT tekniklerini kullan\u0131yor.<\/p>\n","protected":false},"author":700,"featured_media":8653,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1726,1194,1727],"tags":[2022,618,1454],"class_list":{"0":"post-8652","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-enterprise","8":"category-business","9":"category-smb","10":"tag-fidye-yazilim","11":"tag-hedefli-saldirilar","12":"tag-lazarus"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/lazarus-vhd-ransomware\/8652\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/lazarus-vhd-ransomware\/21633\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/lazarus-vhd-ransomware\/17096\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/lazarus-vhd-ransomware\/22905\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/lazarus-vhd-ransomware\/21091\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/lazarus-vhd-ransomware\/19773\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/lazarus-vhd-ransomware\/23573\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/lazarus-vhd-ransomware\/22422\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/lazarus-vhd-ransomware\/28813\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/lazarus-vhd-ransomware\/36559\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/lazarus-vhd-ransomware\/15384\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/lazarus-vhd-ransomware\/15827\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/lazarus-vhd-ransomware\/13727\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/lazarus-vhd-ransomware\/24801\/"},{"hreflang":"zh","url":"https:\/\/www.kaspersky.com.cn\/blog\/lazarus-vhd-ransomware\/11764\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/lazarus-vhd-ransomware\/28892\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/lazarus-vhd-ransomware\/25748\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/lazarus-vhd-ransomware\/22658\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/lazarus-vhd-ransomware\/27923\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/lazarus-vhd-ransomware\/27753\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/fidye-yazilim\/","name":"fidye yaz\u0131l\u0131m"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/8652","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/700"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=8652"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/8652\/revisions"}],"predecessor-version":[{"id":8661,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/8652\/revisions\/8661"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/8653"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=8652"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=8652"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=8652"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}