{"id":911,"date":"2014-02-12T12:59:06","date_gmt":"2014-02-12T17:59:06","guid":{"rendered":"http:\/\/www.kaspersky.com.tr\/blog\/?p=911"},"modified":"2020-02-26T18:35:37","modified_gmt":"2020-02-26T15:35:37","slug":"maske-dunyanin-en-sofistike-apt-saldirisini-ortaya-cikarmak","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/maske-dunyanin-en-sofistike-apt-saldirisini-ortaya-cikarmak\/911\/","title":{"rendered":"Maske \u2013 D\u00fcnyan\u0131n En Sofistike APT Sald\u0131r\u0131s\u0131n\u0131 Ortaya \u00c7\u0131karmak"},"content":{"rendered":"<p><span style=\"line-height: 1.5em\">Kaspersky ara\u015ft\u0131rmac\u0131lar\u0131n\u0131n \u015fimdiye kadar g\u00f6rd\u00fckleri en <\/span><a style=\"line-height: 1.5em\" href=\"https:\/\/www.kaspersky.com\/blog\/all-you-need-to-know-about-apts\/\" target=\"_blank\" rel=\"noopener nofollow\">geli\u015fmi\u015f s\u00fcrekli tehdit<\/a><span style=\"line-height: 1.5em\"> (APT) olarak adland\u0131rd\u0131klar\u0131 sald\u0131r\u0131lar, bilinmeyen bir devlet taraf\u0131ndan desteklenen bir hacking grubu arac\u0131l\u0131\u011f\u0131 ile be\u015f y\u0131l\u0131 a\u015fk\u0131n s\u00fcredir \u00e7e\u015fitli devlet dairelerini, el\u00e7ilikleri, diplomatik ofisleri ve enerji \u015firketlerini hedef alarak s\u00fcr\u00fcyordu.<\/span><\/p>\n<p>Bu sald\u0131r\u0131 d\u00fcn, \u015firketin Dominik Cumhuriyetinde ger\u00e7ekle\u015ftirilen G\u00fcvenlik Analizi Zirvesinde \u201cCareto\u201d ad\u0131yla ortaya \u00e7\u0131kt\u0131. \u201cCareto\u201d \u0130spanyolcada \u201c\u00e7irkin surat\u201d veya \u201cmaske\u201d anlam\u0131na geliyor. G\u00f6r\u00fcn\u00fcn o ki \u0130spanyolca konu\u015fanlar aras\u0131nda bu konuda bir anla\u015fmazl\u0131k var.<\/p>\n<p>Bu sald\u0131r\u0131lar\u0131n endi\u015fe verici olmas\u0131n\u0131n sebebi \u00e7ok a\u00e7\u0131k: d\u0131\u015far\u0131da, belirlenmi\u015f hedeflere kar\u015f\u0131 vir\u00fcs bula\u015ft\u0131rma, casusluk ve veri \u00e7alma konular\u0131nda yeteneklerini s\u00fcrekli geli\u015ftiren \u00fcst\u00fcn yetenekli sald\u0131rganlar var. Di\u011fer endi\u015fe verici olan konu ise Maskenin 2007 y\u0131l\u0131ndan beri radara yakalanmadan hassas verileri sessizce \u00e7al\u0131yor olmas\u0131. Kaspersky Global Ara\u015ft\u0131rma ve Analiz Tak\u0131m\u0131 direkt\u00f6r\u00fc Costin Raiu, sald\u0131rganlar\u0131n eski s\u00fcr\u00fcm bir Kaspersky \u00fcr\u00fcn\u00fcndeki yamanm\u0131\u015f g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 delmeyi denememelerini ara\u015ft\u0131rmac\u0131lar\u0131n\u0131n bu a\u00e7\u0131\u011f\u0131 hi\u00e7 bulamam\u0131\u015f olmalar\u0131 ihtimali olarak a\u00e7\u0131kl\u0131yor.<\/p>\n<p>Raiu, Maske prezantasyonunda \u201cKaspersky \u00fcr\u00fcnlerinin g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 delmeye \u00e7al\u0131\u015fmak hi\u00e7 ak\u0131ll\u0131ca olmazd\u0131\u201d diye belirtiyor.<\/p>\n<p>Bu t\u00fcr \u00e7ok sofistike APT sald\u0131r\u0131lar\u0131 genellikle devlet daireleri ve enerji \u015firketleri gibi yerlerde \u00e7al\u0131\u015fan ve \u00e7ok belirli a\u011flara eri\u015fimi olan ki\u015filerin makinalar\u0131n\u0131 ele ge\u00e7irmeye \u00e7al\u0131\u015f\u0131rlar. Di\u011fer bir deyi\u015fle, sald\u0131rganlar b\u00fcy\u00fck \u00e7o\u011funlu\u011fu olu\u015fturan di\u011fer insanlar ile ilgilenmezler. Endi\u015felerinizi dindirecek sebep ise bu sald\u0131r\u0131lardan kim sorumluysa, Kaspersky\u2019nin Global Ara\u015ft\u0131rma ve Analiz Tak\u0131m\u0131 bu APT sald\u0131r\u0131s\u0131 hakk\u0131nda bir \u00f6n izleme yay\u0131nlad\u0131ktan bir ka\u00e7 saat sonra sald\u0131r\u0131lar\u0131 durdurdu.<\/p>\n<p><b>Kaspersky \u00fcr\u00fcnlerinin g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 delmeye \u00e7al\u0131\u015fmak hi\u00e7 ak\u0131ll\u0131ca olmazd\u0131 <\/b><\/p>\n<p>Kaspersky ara\u015ft\u0131rmac\u0131lar\u0131 yapt\u0131klar\u0131 ara\u015ft\u0131rmalar sonucunda bu sald\u0131r\u0131lar ile ilgili kullan\u0131lan 90 civar\u0131nda komuta ve kontrol alan ad\u0131 ortaya \u00e7\u0131kard\u0131. Raiu, konuyla ilgili yaz\u0131n\u0131n yay\u0131nlanmas\u0131ndan sonra d\u00f6rt saat i\u00e7inde Maske operat\u00f6rlerinin her \u015feyi kapatt\u0131klar\u0131n\u0131 s\u00f6yledi. Ara\u015ft\u0131rmac\u0131lar komuta kontrol merkezlerini tespit etmek i\u00e7in sinkholing denilen bir teknik uyguluyorlar. Bu teknikte ara\u015ft\u0131rmac\u0131lar botnet veya zararl\u0131 yaz\u0131l\u0131m\u0131n ileti\u015fim altyap\u0131s\u0131n\u0131 zorlayarak bu trafi\u011fi sald\u0131r\u0131y\u0131 kontrol eden k\u00f6t\u00fc ama\u00e7l\u0131 sunuculardan ba\u015fka bir y\u00f6ne \u00e7eviriyorlar.<\/p>\n<p>Raiu\u2019ya g\u00f6re sald\u0131rganlar e\u011fer isterlerse \u00e7ok fazla u\u011fra\u015fmaya gerek duymadan sistemi dirilterek operasyonu kolayca yeniden ba\u015flatabilirler.<\/p>\n<p><a href=\"https:\/\/threatpost.com\/new-mask-apt-campaign-called-most-sophisticated-yet\/104148\" target=\"_blank\" rel=\"noopener nofollow\">Bu sald\u0131r\u0131lar\u0131n kayda de\u011fer olmas\u0131n\u0131n pek \u00e7ok sebebi daha var.<\/a> Bir tanesi, bu t\u00fcr sald\u0131r\u0131lar genellikle \u00e7in orijinli olurken bu sald\u0131r\u0131lar\u0131n \u00c7in ile bir ba\u011flant\u0131s\u0131 olmad\u0131\u011f\u0131n\u0131n g\u00f6zlenmesi. Bir di\u011fer enteresan konu ise sald\u0131r\u0131y\u0131 ortaya y\u00f6netenlerin b\u00fcy\u00fck ihtimalle \u0130spanyol olmas\u0131. Bu al\u0131\u015f\u0131lmam\u0131\u015f bir durum, fakat o kadar da \u015fa\u015f\u0131rt\u0131c\u0131 de\u011fil \u00e7\u00fcnk\u00fc \u0130spanyolca d\u00fcnya \u00e7ap\u0131nda 400 milyon ki\u015fi taraf\u0131ndan konu\u015fulmas\u0131 sebebiyle Mandarin\u2019den sonra ikinci dil olmas\u0131. Maske sald\u0131r\u0131s\u0131n\u0131n hedefi a\u011f\u0131rl\u0131kl\u0131 olarak 30\u2019dan fazla \u00fclkede ya\u015fayan \u0130spanyolca konu\u015fan insanlardan olu\u015fuyor.<\/p>\n<p>Bunun \u00f6tesinde, grubun elinde Mac OS X, Linux ve hatta iOS ve Android cihazlar\u0131 hedef alan en az bir adet s\u0131f\u0131r\u0131nc\u0131-g\u00fcn Maske zararl\u0131 yaz\u0131l\u0131m\u0131 bulundu\u011fu s\u00f6ylenebilir. Raiu\u2019ya g\u00f6re en az\u0131ndan Fas\u2019taki kurbanlardan birine ait cihaz komuta kontrol merkeziyle mobil 3G a\u011f\u0131 \u00fczerinden haberle\u015fiyordu.<\/p>\n<p>\u201cBu sald\u0131rganlar, altyap\u0131lar\u0131n\u0131 y\u00f6netmeleri a\u00e7\u0131s\u0131ndan Flame APT grubundan daha bilgililer. H\u0131z ve profesyonellik gerek Flame gerekse daha \u00f6nce g\u00f6rd\u00fc\u011f\u00fcm\u00fcz her \u015feyden daha ileri\u201d diyor Raiu.<\/p>\n<p>Referans olmas\u0131 a\u00e7\u0131s\u0131nda belirtmek gerekirse, <a href=\"https:\/\/threatpost.com\/flame-one-year-later\/100782\" target=\"_blank\" rel=\"noopener nofollow\">Flame<\/a> 2012 y\u0131l\u0131nda Kaspersky ara\u015ft\u0131rmac\u0131lar\u0131 taraf\u0131ndan ortaya \u00e7\u0131kar\u0131lan ba\u015fka bir APT sald\u0131r\u0131yd\u0131. Orta Do\u011fu \u00fclkelerini hedef al\u0131yordu ve Microsoft taraf\u0131ndan \u00fcretilmi\u015f gibi g\u00f6z\u00fcken sahte <a href=\"https:\/\/www.kaspersky.com\/blog\/digital-certificates-httpss\/\" target=\"_blank\" rel=\"noopener nofollow\">dijital sertifikalar<\/a> yaratma konusunda \u00e7ok geli\u015fmi\u015f \u00f6zelliklere sahipti.<\/p>\n<p>Pek \u00e7ok vakada oldu\u011fu gibi Maske sald\u0131r\u0131s\u0131n\u0131 d\u00fczenleyenler de, kurbanlar\u0131n\u0131 g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 delme i\u015flemlerini ger\u00e7ekle\u015ftirdikleri k\u00f6t\u00fc niyetli web sitelerine y\u00f6nlendirmek i\u00e7in <a href=\"https:\/\/www.kaspersky.com\/blog\/kis-shines-in-independent-anti-phishing-testing\/\" target=\"_blank\" rel=\"noopener nofollow\">m\u0131zrakla bal\u0131k avlama<\/a> y\u00f6ntemi epostalar kullanm\u0131\u015flar. Bu siteler asl\u0131nda pek \u00e7ok vir\u00fcs ile donat\u0131lm\u0131\u015ft\u0131r ve sadece sald\u0131rganlar\u0131n kurbanlar\u0131na g\u00f6nderdikleri direk linkler ile ula\u015f\u0131labilir durumdad\u0131rlar.<\/p>\n<p>Raiu ya g\u00f6re sald\u0131rganlar\u0131n emrinde, kurbanlar\u0131n\u0131n makinalar\u0131nda s\u00fcrekli kalmalar\u0131n\u0131 sa\u011flamak i\u00e7in olu\u015fturulmu\u015f TCP ve UDP (Internet \u00fczerinde ileti\u015fim i\u00e7in kullan\u0131lan iki farkl\u0131 protokol) ileti\u015fimine ger\u00e7ek zamanl\u0131 m\u00fcdahale eden ve ele ge\u00e7irilen makinan\u0131n g\u00f6r\u00fcnmez olarak kalmas\u0131n\u0131 sa\u011flayan \u00e7ok \u00e7e\u015fitli ara\u00e7lar bulunuyor. Kurbanlar\u0131n makinalar\u0131 ve komuta kontrol merkezi sunucular\u0131 aras\u0131ndaki t\u00fcm ileti\u015fim ise \u015fifreli olarak ger\u00e7ekle\u015ftiriliyor.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Kaspersky ara\u015ft\u0131rmac\u0131lar\u0131n\u0131n \u015fimdiye kadar g\u00f6rd\u00fckleri en geli\u015fmi\u015f s\u00fcrekli tehdit (APT) olarak adland\u0131rd\u0131klar\u0131 sald\u0131r\u0131lar, bilinmeyen bir devlet taraf\u0131ndan desteklenen bir hacking grubu arac\u0131l\u0131\u011f\u0131 ile be\u015f y\u0131l\u0131 a\u015fk\u0131n s\u00fcredir \u00e7e\u015fitli devlet dairelerini,<\/p>\n","protected":false},"author":350,"featured_media":912,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1351],"tags":[524,510],"class_list":{"0":"post-911","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-gelismis-surekli-tehdit","9":"tag-siber-suclular"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/maske-dunyanin-en-sofistike-apt-saldirisini-ortaya-cikarmak\/911\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/gelismis-surekli-tehdit\/","name":"geli\u015fmi\u015f s\u00fcrekli tehdit"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/911","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/350"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=911"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/911\/revisions"}],"predecessor-version":[{"id":7735,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/911\/revisions\/7735"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/912"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=911"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=911"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=911"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}