{"id":9489,"date":"2021-04-02T10:47:25","date_gmt":"2021-04-02T07:47:25","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=9489"},"modified":"2021-04-02T10:47:26","modified_gmt":"2021-04-02T07:47:26","slug":"ransomware-in-virtual-environment","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/ransomware-in-virtual-environment\/9489\/","title":{"rendered":"Sanal ortamda fidye yaz\u0131l\u0131m\u0131"},"content":{"rendered":"

Baz\u0131 siber tehdit risklerini \u00f6nemli \u00f6l\u00e7\u00fcde azaltsa da sanalla\u015ft\u0131rma, di\u011fer uygulamalardan \u00e7ok farkl\u0131 olup her derde deva de\u011fil. ZDNet\u2019in<\/a>yak\u0131n zamanda bildirdi\u011fi \u00fczere bir fidye yaz\u0131l\u0131m\u0131 sald\u0131r\u0131s\u0131, \u00f6rne\u011fin VMware ESXi\u2019nin savunmas\u0131z s\u00fcr\u00fcmleri arac\u0131l\u0131\u011f\u0131yla, sanal altyap\u0131y\u0131 vurabilir.<\/p>\n

Sanal makineleri kullanmak g\u00fc\u00e7l\u00fc ve g\u00fcvenli bir uygulamad\u0131r. \u00d6rne\u011fin sanal makinede hassas veri bulunmuyorsa, sanal makine kullanmak k\u00f6t\u00fc bir yaz\u0131l\u0131m\u0131n bula\u015fmas\u0131ndan kaynaklanan zarar\u0131 azaltabilir. Kullan\u0131c\u0131 sanal makinede yanl\u0131\u015fl\u0131kla bir Truva at\u0131n\u0131 etkinle\u015ftirse bile, sanal makinenin yeni bir g\u00f6r\u00fcnt\u00fcs\u00fcn\u00fcn kurulmas\u0131 t\u00fcm k\u00f6t\u00fc niyetli de\u011fi\u015fiklikleri tersine \u00e7evirir.<\/p>\n

Bununla birlikte RansomExx<\/a> fidye yaz\u0131l\u0131m\u0131, sanal sabit s\u00fcr\u00fcc\u00fclere sald\u0131rmak i\u00e7in \u00f6zellikle VMware ESXi\u2019deki g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 hedef al\u0131r. Darkside grubunun da ayn\u0131 y\u00f6ntemi kulland\u0131\u011f\u0131 bildirildi ve BabukLocker Truva At\u0131\u2019n\u0131n yarat\u0131c\u0131lar\u0131 \u00fcst\u00fc kapal\u0131 bir \u015fekilde<\/a> ESXi\u2019yi \u015fifreleyebileceklerini s\u00f6ylediler.<\/p>\n

G\u00fcvenlik a\u00e7\u0131klar\u0131 nelerdir?<\/h2>\n

VMware ESXi misafir sistem arakatman\u0131 (hypervisor), di\u011fer \u015feylerin yan\u0131 s\u0131ra a\u011f cihazlar\u0131n\u0131 \u00f6n yap\u0131land\u0131rma olmadan alg\u0131layabilen A\u00e7\u0131k SLP (Hizmet Katman\u0131 Protokol\u00fc) arac\u0131l\u0131\u011f\u0131yla birden \u00e7ok sanal makinenin tek bir sunucuda bilgi depolamas\u0131na imkan sa\u011flar. S\u00f6z konusu iki g\u00fcvenlik a\u00e7\u0131\u011f\u0131 eski ve bu sebeple siber su\u00e7lular\u0131n bildi\u011fi CVE-2019-5544<\/a> ve CVE-2020-3992<\/a>\u2018dir. A\u00e7\u0131klardan ilki heap overflow sald\u0131r\u0131lar\u0131n\u0131<\/a> ger\u00e7ekle\u015ftirmek i\u00e7in kullan\u0131l\u0131rken ve ikincisi ise Use-After-Free<\/a> t\u00fcr\u00fcndedir \u2014 yani i\u015flem s\u0131ras\u0131nda dinamik haf\u0131zan\u0131n yanl\u0131\u015f kullan\u0131m\u0131 ile ilgilidir.<\/p>\n

Her iki g\u00fcvenlik a\u00e7\u0131\u011f\u0131 da bir s\u00fcre \u00f6nce kapat\u0131ld\u0131 (ilki 2019\u2019da, ikincisi 2020\u2019de), ancak 2021\u2019de su\u00e7lular yine de bu a\u00e7\u0131klar sayesinde ba\u015far\u0131l\u0131 sald\u0131r\u0131lar ger\u00e7ekle\u015ftiriyor.\u00a0 Her zaman oldu\u011fu gibi bu, baz\u0131 i\u015fletmelerin yaz\u0131l\u0131mlar\u0131n\u0131 g\u00fcncellemedi\u011fi anlam\u0131na geliyor.<\/p>\n

K\u00f6t\u00fc niyetli ki\u015filer ESXi g\u00fcvenlik a\u00e7\u0131klar\u0131ndan nas\u0131l faydalan\u0131r?<\/h2>\n

Sald\u0131rganlar bu g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 k\u00f6t\u00fc niyetli SLP talepleri olu\u015fturmak ve veri depolamay\u0131 riske atmak i\u00e7in kullanabilir. Bilgiyi \u015fifrelemek i\u00e7in \u00f6ncelikle a\u011fa girmeleri ve orada bir yer edinmeleri gerekir. Bu b\u00fcy\u00fck bir sorun de\u011fildir, hele ki sanal makine bir g\u00fcvenlik \u00e7\u00f6z\u00fcm\u00fc \u00e7al\u0131\u015ft\u0131rm\u0131yorsa.<\/p>\n

Sisteme yerle\u015fmek i\u00e7in RansomExx kullan\u0131c\u0131lar\u0131 \u00f6rne\u011fin Netlogon Uzak Protokol\u00fcndeki Zerologon<\/a> g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 kullanabilirler. Yani, bir kullan\u0131c\u0131y\u0131 sanal makinede k\u00f6t\u00fc ama\u00e7l\u0131 kod \u00e7al\u0131\u015ft\u0131rmas\u0131 i\u00e7in kand\u0131r\u0131rlar, ard\u0131ndan Active Directory denetleyicisinin kontrol\u00fcn\u00fc ele ge\u00e7irirler ve i\u015fte o zaman depolanan veriyi \u015fifreler ve geride bir fidye notu b\u0131rak\u0131rlar.<\/p>\n

Bu arada Zerologon tek se\u00e7enek de\u011fildir, \u00f6zel hizmetler<\/a> olmadan a\u00e7\u0131ktan yararlan\u0131ld\u0131\u011f\u0131n\u0131 tespit etmek neredeyse imkans\u0131z oldu\u011fu i\u00e7in en tehlikeli se\u00e7eneklerden birisidir.<\/p>\n

MSXI sald\u0131r\u0131lar\u0131na kar\u015f\u0131 nas\u0131l korunabilirsiniz?<\/h2>\n