{"id":9440,"date":"2021-03-24T17:49:53","date_gmt":"2021-03-24T14:49:53","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=9440"},"modified":"2021-03-24T17:49:53","modified_gmt":"2021-03-24T14:49:53","slug":"zerologon-threat-mdr","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/zerologon-threat-mdr\/9440\/","title":{"rendered":"Zerologon ve benzeri g\u00fcvenlik a\u00e7\u0131klar\u0131na kar\u015f\u0131 nas\u0131l korunabilirsiniz?"},"content":{"rendered":"<p>Belirli g\u00fcvenlik a\u00e7\u0131klar\u0131 hakk\u0131nda olduk\u00e7a nadiren direktif yay\u0131nlayan ABD Siber G\u00fcvenlik ve Altyap\u0131 G\u00fcvenli\u011fi Ajans\u0131 (CISA), ge\u00e7ti\u011fimiz Eyl\u00fcl ay\u0131nda a\u011flar\u0131nda Microsoft Windows Active Directory kullanan devlet kurumlar\u0131na t\u00fcm alan denetleyicilerine bir an \u00f6nce yama uygulamalar\u0131 y\u00f6n\u00fcnde talimat verdi. Nedeni ise Zerologon olarak da adland\u0131r\u0131lan ve Netlogon protokol\u00fcnde bulunan CVE-2020-1472 g\u00fcvenlik a\u00e7\u0131\u011f\u0131.<\/p>\n<h2>10.0 b\u00fcy\u00fckl\u00fc\u011f\u00fcndeki tehlike<\/h2>\n<p><a href=\"https:\/\/www.kaspersky.com.tr\/blog\/cve-2020-1472-domain-controller-vulnerability\/8828\/\" target=\"_blank\" rel=\"noopener\">Zerologon g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n<\/a> kayna\u011f\u0131, Netlogon kimlik do\u011frulama mekanizmas\u0131ndaki g\u00fcvenilir olmayan bir \u015fifreleme algoritmas\u0131. S\u00f6z konusu g\u00fcvenlik a\u00e7\u0131\u011f\u0131 kurumsal a\u011fa ba\u011flanan veya bu a\u011fdaki bir bilgisayara eri\u015fen sald\u0131rganlar\u0131n bir alan denetleyicisine sald\u0131rmas\u0131na ve nihayetinde bu denetleyicinin kontrol\u00fcn\u00fc ele ge\u00e7irmelerine imkan veriyor.<\/p>\n<p>G\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n CVSSv3 \u00f6l\u00e7e\u011findeki de\u011feri ise en y\u00fcksek de\u011fer olan 10.0. A\u011fustos ay\u0131nda Microsoft konu ile ilgili bir yama yay\u0131nlasa da, Zerologon\u2019a ve bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n nas\u0131l istismar edilebilece\u011fine dair geni\u015f \u00e7apta dikkat \u00e7eken \u015fey Hollandal\u0131 siber g\u00fcvenlik firmas\u0131 Secura\u2019n\u0131n yapt\u0131\u011f\u0131 derinlemesine bir \u00e7al\u0131\u015fma oldu. Bu \u00e7al\u0131\u015fman\u0131n yay\u0131nlanmas\u0131ndan saatler sonra ise ara\u015ft\u0131rmac\u0131lar kendi <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/poc-proof-of-concept\/\" target=\"_blank\" rel=\"noopener\">kavram kan\u0131tlar\u0131n\u0131 (PoC)<\/a> yay\u0131nlamaya ba\u015flad\u0131lar. Sadece birka\u00e7 g\u00fcn i\u00e7inde, s\u00f6z konusu g\u00fcvenlik a\u00e7\u0131\u011f\u0131ndan ger\u00e7ekte nas\u0131l faydalan\u0131labilece\u011fini ortaya koyan en az d\u00f6rt a\u00e7\u0131k kaynak kod \u00f6rne\u011fi GitHub\u2019da yer ald\u0131.<\/p>\n<h2>Ger\u00e7ek sald\u0131r\u0131larda Zerologon<\/h2>\n<p>Tabii ki, halka a\u00e7\u0131k \u015fekilde yay\u0131nlanan bu PoC\u2019ler yaln\u0131zca bilgi g\u00fcvenli\u011fi uzmanlar\u0131n\u0131n de\u011fil, ayn\u0131 zamanda siber su\u00e7lular\u0131n da dikkatini \u00e7ekti: Art\u0131k yapmalar\u0131 gereken tek \u015fey kodu kesip k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mlar\u0131na yap\u0131\u015ft\u0131rmakt\u0131. \u00d6rne\u011fin, Ekim ay\u0131 ba\u015flar\u0131ndaki <a href=\"https:\/\/twitter.com\/MsftSecIntel\/status\/1313598440719355904\" target=\"_blank\" rel=\"noopener nofollow\">Microsoft\u2019un bildirisine<\/a> g\u00f6re TA505 grubu Zerologon\u2019dan faydalanma giri\u015fimlerinde bulundu. Siber su\u00e7lular, bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131ndan yararlanmak i\u00e7in k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mlar\u0131n\u0131 bir yaz\u0131l\u0131m g\u00fcncellemesi olarak gizleyip eri\u015fim sa\u011flad\u0131klar\u0131 bilgisayarlarda sald\u0131r\u0131 ara\u00e7lar\u0131 derlediler.<\/p>\n<p>Ryuk adl\u0131 fidye yaz\u0131l\u0131m\u0131n\u0131n arkas\u0131ndaki bir ba\u015fka grup ise, <a href=\"https:\/\/threatpost.com\/ryuk-ransomware-gang-zerologon-lightning-attack\/160286\/\" target=\"_blank\" rel=\"noopener nofollow\">sadece be\u015f saat i\u00e7inde<\/a> Zerologon\u2019u bir \u015firketin t\u00fcm yerel a\u011f\u0131na bula\u015ft\u0131rmak i\u00e7in kulland\u0131. \u015eirketin bir \u00e7al\u0131\u015fan\u0131na standart bir kimlik av\u0131 e-postas\u0131 g\u00f6nderen grup, bu e-posta\u2019ya t\u0131klanmas\u0131n\u0131 ve bilgisayara vir\u00fcs bula\u015fmas\u0131n\u0131 bekledi. Ard\u0131ndan Zerologon\u2019u a\u011fda yanal olarak hareket etmek i\u00e7in kullan\u0131p y\u00fcr\u00fct\u00fclebilir bir fidye yaz\u0131l\u0131m\u0131 t\u00fcm sunuculara ve i\u015f istasyonlar\u0131na da\u011f\u0131tt\u0131.<\/p>\n<h2>Zerologon neden tehlikeli?<\/h2>\n<p>Zerologon\u2019dan faydalanmak i\u00e7in yerel a\u011f\u0131n i\u00e7inden bir alan\u0131 denetleyicisine sald\u0131r\u0131 ger\u00e7ekle\u015ftirilmesi gerekiyor gibi g\u00f6r\u00fcnebilir. Ancak asl\u0131nda, siber su\u00e7lular a\u011fdaki bir bilgisayar\u0131 ele ge\u00e7irmek i\u00e7in \u00e7e\u015fitli y\u00f6ntemler kullanarak\u00a0 bu engeli uzun s\u00fcredir a\u015fabiliyorlar. Bu y\u00f6ntemler aras\u0131nda; kimlik av\u0131 sald\u0131r\u0131lar\u0131, tedarik zinciri sald\u0131r\u0131lar\u0131 ve hatta ziyaret\u00e7iler i\u00e7in ofis alanlar\u0131ndaki g\u00f6zetimsiz a\u011f giri\u015flerinin kullan\u0131m\u0131 bile yer al\u0131yor. Ba\u015fka bir tehdit ise uzaktan ba\u011flant\u0131lardan (ki bug\u00fcnlerde neredeyse t\u00fcm \u015firketler taraf\u0131ndan kullan\u0131l\u0131yor) geliyor \u2014 \u00f6zellikle de \u00e7al\u0131\u015fanlar kurumsal kaynaklara kendi cihazlar\u0131ndan ba\u011flanabiliyorsa.<\/p>\n<p>Zerologon (ve varsay\u0131msal olarak buna benzer di\u011fer g\u00fcvenlik a\u00e7\u0131klar\u0131) ile ilgili temel sorun, bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n k\u00f6t\u00fc kullan\u0131m\u0131n\u0131n a\u011fdaki bir bilgisayar ile bir alan\u0131 denetleyicisi aras\u0131nda ger\u00e7ekle\u015fen standart bir veri al\u0131\u015fveri\u015fi gibi g\u00f6r\u00fcnmesi; \u015f\u00fcphe uyand\u0131racak tek durum ise sadece bu veri al\u0131\u015fveri\u015fin s\u0131ra d\u0131\u015f\u0131 bir yo\u011funlukta olmas\u0131. \u00d6yle ki, yaln\u0131zca u\u00e7 nokta g\u00fcvenlik \u00e7\u00f6z\u00fcmlerine g\u00fcvenen \u015firketlerin bu t\u00fcr sald\u0131r\u0131lar\u0131 tespit etme \u015fans\u0131 olduk\u00e7a d\u00fc\u015f\u00fck.<\/p>\n<p>Bu t\u00fcr anormalliklerin \u00fcstesinden gelmek i\u00e7in yap\u0131lacak en iyi \u015fey, bu g\u00f6revi Kaspersky Managed Detection and Response (MDR) gibi \u00f6zel hizmetlere b\u0131rakmakt\u0131r. Kaspersky Managed Detection and Response (MDR), siber su\u00e7lular\u0131n kulland\u0131klar\u0131 taktikler hakk\u0131nda derinlemesine bilgiye sahibi olan ve m\u00fc\u015fteriye ayr\u0131nt\u0131l\u0131 \u015fekilde pratik \u00f6neriler sunan bir harici g\u00fcvenlik merkezi.<\/p>\n<p>\u00c7\u00f6z\u00fcm iki seviyeden olu\u015fuyor: MDR Optimum ve MDR Expert. Kaspersky\u2019nin g\u00fcvenlik operasyon merkezi uzmanlar\u0131, Zerologon ile ilgili ayr\u0131nt\u0131l\u0131 bilgilerin yay\u0131nlanmas\u0131n\u0131n hemen ard\u0131ndan MDR hizmetindeki g\u00fcvenlik a\u00e7\u0131\u011f\u0131ndan faydalanmaya y\u00f6nelik giri\u015fimleri takip etmeye ba\u015flay\u0131p Kaspersky Managed Detection and Response\u2019nin her iki s\u00fcr\u00fcm\u00fcn\u00fcn de bu tehditle m\u00fccadele edebildi\u011finden emin oldu.<\/p>\n<p>Kaspersky Managed Detection and Response, <a href=\"https:\/\/go.kaspersky.com\/optimum\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Optimum Security<\/a>\u2018nin bir par\u00e7as\u0131d\u0131r. <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/managed-detection-and-response?icid=tr_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky MDR<\/a> sayfas\u0131na g\u00f6z atarak \u00e7\u00f6z\u00fcm hakk\u0131nda daha fazla bilgi alabilirsiniz.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Kurumsal altyap\u0131n\u0131z\u0131 t\u00fcm tehditlere kar\u015f\u0131 savunmak i\u00e7in, i\u015f istasyonlar\u0131n\u0131 korumaktan \u00e7ok daha fazlas\u0131n\u0131 yapman\u0131z gerekiyor. <\/p>\n","protected":false},"author":2581,"featured_media":9442,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1726,1194,1351],"tags":[503,2331],"class_list":{"0":"post-9440","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-enterprise","8":"category-business","9":"category-threats","10":"tag-guvenlik-acigi","11":"tag-yetkisiz-erisim"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/zerologon-threat-mdr\/9440\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/zerologon-threat-mdr\/22621\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/zerologon-threat-mdr\/18114\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/zerologon-threat-mdr\/8993\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/zerologon-threat-mdr\/22433\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/zerologon-threat-mdr\/21467\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/zerologon-threat-mdr\/24926\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/zerologon-threat-mdr\/24178\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/zerologon-threat-mdr\/30359\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/zerologon-threat-mdr\/39026\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/zerologon-threat-mdr\/16565\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/zerologon-threat-mdr\/17212\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/zerologon-threat-mdr\/26376\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/zerologon-threat-mdr\/23721\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/zerologon-threat-mdr\/29001\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/zerologon-threat-mdr\/28803\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/guvenlik-acigi\/","name":"G\u00fcvenlik A\u00e7\u0131\u011f\u0131"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/9440","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/2581"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=9440"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/9440\/revisions"}],"predecessor-version":[{"id":9461,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/9440\/revisions\/9461"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/9442"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=9440"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=9440"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=9440"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}