{"id":9728,"date":"2021-06-10T18:04:46","date_gmt":"2021-06-10T15:04:46","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=9728"},"modified":"2021-06-10T18:04:46","modified_gmt":"2021-06-10T15:04:46","slug":"chrome-windows-zero-day","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/chrome-windows-zero-day\/9728\/","title":{"rendered":"PuzzleMaker: Bir\u00e7ok farkl\u0131 \u015firkete kar\u015f\u0131 yap\u0131lan hedefli sald\u0131r\u0131lar"},"content":{"rendered":"<p><a href=\"https:\/\/www.kaspersky.com.tr\/small-to-medium-business-security?icid=tr_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">Kaspersky Endpoint Security for Business<\/a> \u00fcr\u00fcn\u00fcne dahil davran\u0131\u015fsal tehdit tespiti ve a\u00e7\u0131klardan yararlanan yaz\u0131l\u0131mlar\u0131 engelleme teknolojileri, birka\u00e7 \u015firkete kar\u015f\u0131 yap\u0131lan \u00fcst d\u00fczey bir hedefli sald\u0131r\u0131 dalgas\u0131 tan\u0131mlad\u0131. Bu sald\u0131r\u0131lar Google Chrome taray\u0131c\u0131s\u0131n\u0131n ve Microsoft Windows\u2019un g\u00fcvenlik a\u00e7\u0131klar\u0131na y\u00f6nelik zincirleme bir s\u0131f\u0131r g\u00fcn a\u00e7\u0131klar\u0131ndan yararlanan yaz\u0131l\u0131m kullanm\u0131\u015ft\u0131. O zamandan beri bu g\u00fcvenlik a\u00e7\u0131klar\u0131 i\u00e7in yamalar haz\u0131rland\u0131 (8 Haziranda Microsoft\u2019un yay\u0131nlad\u0131\u011f\u0131 son g\u00fcncellemelerle birlikte), bu nedenle biz de hem taray\u0131c\u0131n\u0131z\u0131 hem de i\u015fletim sisteminizi g\u00fcncellemenizi \u00f6neriyoruz. Bu sald\u0131r\u0131lar\u0131n arkas\u0131ndaki tehdite PuzzleMaker deniyor.<\/p>\n<h2>Peki PuzzleMaker sald\u0131r\u0131lar\u0131n\u0131 bu kadar tehlikeli yapan ne?<\/h2>\n<p>Sald\u0131rganlar hedef makinede k\u00f6t\u00fc ama\u00e7l\u0131 kod y\u00fcr\u00fctebilmek i\u00e7in Google Chrome\u2019un g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 kullan\u0131yor ve ard\u0131ndan Windows 10\u2019un iki g\u00fcvenlik a\u00e7\u0131\u011f\u0131ndan yararlanarak <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/sandbox-escape\/\" target=\"_blank\" rel=\"noopener\">\u201ckoruma alan\u0131ndan\u201d ka\u00e7\u0131p<\/a> sisteme eri\u015fim elde edebiliyor. Daha sonra kurban\u0131n makinesine, bir nevi rejis\u00f6r de diyebilece\u011fimiz, ilk k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m mod\u00fcl\u00fcn\u00fc ve \u00f6zelle\u015ftirilmi\u015f yap\u0131land\u0131rma bloklar\u0131 (komuta sunucusunun adresi, oturum kimli\u011fi, s\u0131radaki mod\u00fcl i\u00e7in gereken \u015fifre anahtarlar\u0131 gibi) y\u00fckl\u00fcyorlar.<\/p>\n<p>Bu rejis\u00f6r, sald\u0131rganlar\u0131 sald\u0131r\u0131n\u0131n ba\u015far\u0131l\u0131 oldu\u011funa dair bilgilendiriyor; ard\u0131ndan bir <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/trojan-droppers\/\" target=\"_blank\" rel=\"noopener\">dosya y\u00fckleyici<\/a> mod\u00fcl indirip \u015fifresini \u00e7\u00f6z\u00fcyor. Bu mod\u00fcl de kendisini g\u00fcvenli gibi g\u00f6sterebilen y\u00fcr\u00fct\u00fclebilir iki dosya y\u00fckl\u00fcyor. \u0130lk dosya WmiPrvMon.ex\u0435 hizmet olarak kaydediliyor ve wmimon.dll ad\u0131ndaki ikinci dosyay\u0131 \u00e7al\u0131\u015ft\u0131r\u0131yor. Bu ikinci y\u00fcr\u00fct\u00fclebilir dosya, kendini uzaktaki kabuk komutu gibi g\u00f6steriyor ama asl\u0131nda sald\u0131r\u0131n\u0131n ana <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/payload\/\" target=\"_blank\" rel=\"noopener\">\u201ci\u00e7eri\u011fi<\/a>\u201d g\u00f6revi g\u00f6r\u00fcyor.<\/p>\n<p>Sald\u0131rganlar bu kabu\u011fu kullanarak hedef makinenin t\u00fcm kontrol\u00fcn\u00fc ele ge\u00e7iriyor. Dosya indirip y\u00fckleyebiliyor, s\u00fcre\u00e7 olu\u015fturabiliyor, belirli bir s\u00fcre i\u00e7in uykuya ge\u00e7ebiliyor ve hatta makineden sald\u0131r\u0131n\u0131n t\u00fcm izlerini silebiliyorlar. Bu k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m bile\u015feni, \u015fifreli ba\u011flant\u0131 arac\u0131l\u0131\u011f\u0131yla komut sunucusuyla ileti\u015fim kurabiliyor.<\/p>\n<h2>Hangi g\u00fcvenlik a\u00e7\u0131klar\u0131ndan yararlanan yaz\u0131l\u0131mlar ve hangi g\u00fcvenlik a\u00e7\u0131klar\u0131 bunlar?<\/h2>\n<p>Ne yaz\u0131k ki uzmanlar\u0131m\u0131z PuzzleMaker\u2019\u0131n Google Chrome\u2019a sald\u0131rmak i\u00e7in kulland\u0131\u011f\u0131 <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/remote-code-execution-rce\/\" target=\"_blank\" rel=\"noopener\">uzaktan kod y\u00fcr\u00fcten a\u00e7\u0131klardan yararlanan yaz\u0131l\u0131m\u0131<\/a> analiz edemedi; ama detayl\u0131 bir inceleme yapt\u0131lar ve sald\u0131rganlar\u0131n b\u00fcy\u00fck olas\u0131l\u0131kla <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-21224\" target=\"_blank\" rel=\"noopener nofollow\">CVE-2021-21224<\/a> g\u00fcvenlik a\u00e7\u0131\u011f\u0131ndan yararland\u0131\u011f\u0131 sonucuna vard\u0131lar. Bu sonuca nas\u0131l ve neden vard\u0131klar\u0131n\u0131 merak ediyorsan\u0131z bu <a href=\"https:\/\/securelist.com\/puzzlemaker-chrome-zero-day-exploit-chain\/102771\/\" target=\"_blank\" rel=\"noopener\">Securelist g\u00f6nderisinde<\/a> yazd\u0131klar\u0131n\u0131 okuman\u0131z\u0131 \u00f6neririz. Her durumda, Google 20 Nisan 2021 tarihinde, sald\u0131r\u0131 dalgas\u0131n\u0131 fark etmemizin \u00fczerinden bir hafta bile ge\u00e7meden, bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131 i\u00e7in bir yama yay\u0131nlad\u0131.<\/p>\n<p>Eri\u015fim hakk\u0131 verme \u00f6zelli\u011fi olan a\u00e7\u0131klardan yararlanan yaz\u0131l\u0131mlar, Windows 10\u2019un ayn\u0131 anda iki g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 kullan\u0131r. Bunlar\u0131n ilki, <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-31955\" target=\"_blank\" rel=\"noopener nofollow\">CVE-2021-31955<\/a>, ntoskrnl.exe dosyas\u0131nda bulunan bilgi if\u015fas\u0131yla ilgili bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131d\u0131r. A\u00e7\u0131klardan yararlanan yaz\u0131l\u0131m bunu, y\u00fcr\u00fct\u00fclen s\u00fcre\u00e7lerin EPR0CESS yap\u0131 \u00e7ekirde\u011finin adresini bulmak i\u00e7in kulland\u0131. \u0130kinci g\u00fcvenlik a\u00e7\u0131\u011f\u0131 <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-31956\" target=\"_blank\" rel=\"noopener nofollow\">CVE-2021-31956<\/a>, ntfs.sys s\u00fcr\u00fcc\u00fcs\u00fcnde bulunur ve g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131n <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/heap-overflow-attack\/\" target=\"_blank\" rel=\"noopener\">y\u0131\u011f\u0131n a\u015f\u0131m<\/a> s\u0131n\u0131f\u0131na dahildir. K\u00f6t\u00fc niyetli ki\u015filer bunu Windows Notification Facility ile birlikte haf\u0131zadaki verileri okumak veya yeni veri girmek i\u00e7in kulland\u0131. Bu a\u00e7\u0131klardan yararlanan yaz\u0131l\u0131m, en \u00e7ok bilinen Windows 10 yap\u0131lar\u0131nda kullan\u0131labilir: 17763 (Redstone 5), 18362 (19H1), 18363 (19H2), 19041 (20H1), ve 19042 (20H2). 19043 (21H1) yap\u0131s\u0131 da savunmas\u0131zd\u0131r ama teknolojimiz hen\u00fcz, biz PuzzleMaker\u2019\u0131 tespit ettikten sonra \u00e7\u0131kan bu s\u00fcr\u00fcm \u00fczerine ger\u00e7ekle\u015ftirilen bir sald\u0131r\u0131 tespit etmedi. Securelist <a href=\"https:\/\/securelist.com\/puzzlemaker-chrome-zero-day-exploit-chain\/102771\/\" target=\"_blank\" rel=\"noopener\">detayl\u0131 teknik a\u00e7\u0131klamalar i\u00e7eren bir payla\u015f\u0131m<\/a> ve risk g\u00f6stergelerinin bir listesini yay\u0131nlad\u0131.<\/p>\n<h2>Bu ve benzeri sald\u0131r\u0131lara kar\u015f\u0131 korunma<\/h2>\n<p>Kurumsal g\u00fcvenli\u011finizi PuzzleMaker sald\u0131r\u0131s\u0131nda kullan\u0131lan a\u00e7\u0131klardan yararlanan yaz\u0131l\u0131mlara kar\u015f\u0131 korumak i\u00e7in \u00f6nce Chrome\u2019u g\u00fcncelleyin (<a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-31955\" target=\"_blank\" rel=\"noopener nofollow\">Microsoft\u2019un<\/a> <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-31956\" target=\"_blank\" rel=\"noopener nofollow\">internet sitesini<\/a> kullan\u0131n), ard\u0131ndan CVE-2021-31955 ve CVE-2021-31956 g\u00fcvenlik a\u00e7\u0131klar\u0131 i\u00e7in yay\u0131nlanan i\u015fletim sistemi yamalar\u0131n\u0131 y\u00fckleyin.<\/p>\n<p>Bununla birlikte, di\u011fer s\u0131f\u0131r-g\u00fcn g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 riskten kurtarmak i\u00e7in her t\u00fcr \u015firketin, \u015f\u00fcpheli davran\u0131\u015flar\u0131 analiz ederek bunun gibi a\u00e7\u0131klardan yararlanma giri\u015fimlerini tespit edebilen siber g\u00fcvenlik \u00fcr\u00fcnleri kullanmas\u0131 gerekir. \u00d6rne\u011fin bizim \u00fcr\u00fcnlerimiz bu sald\u0131r\u0131y\u0131 <a href=\"https:\/\/www.kaspersky.com.tr\/small-to-medium-business-security?icid=tr_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">Kaspersky Endpoint Security for business<\/a> i\u00e7inde yer alan G\u00fcvenlik A\u00e7\u0131klar\u0131ndan Yararlanan Yaz\u0131l\u0131mlara Kar\u015f\u0131 Koruma alt sistemini ve Davran\u0131\u015f Tespit Motoru teknolojisini kullanarak tespit etti.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-trial-leadgen\">\n","protected":false},"excerpt":{"rendered":"<p>Teknolojimiz, bir tak\u0131m s\u0131f\u0131r g\u00fcn a\u00e7\u0131klar\u0131ndan yararlanan yaz\u0131l\u0131m kullanan hedefli sald\u0131r\u0131lar tespit etti.<\/p>\n","protected":false},"author":700,"featured_media":9729,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1726,1194],"tags":[2429,16,790,2430],"class_list":{"0":"post-9728","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-enterprise","8":"category-business","9":"tag-aciklardan-yararlanan-yazilimlar","10":"tag-chrome","11":"tag-guvenlik-aciklari","12":"tag-windows-ana-etiket-guvenlik-aciklari"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/chrome-windows-zero-day\/9728\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/chrome-windows-zero-day\/22945\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/chrome-windows-zero-day\/18438\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/chrome-windows-zero-day\/24889\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/chrome-windows-zero-day\/22882\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/chrome-windows-zero-day\/22099\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/chrome-windows-zero-day\/25457\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/chrome-windows-zero-day\/24893\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/chrome-windows-zero-day\/30891\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/chrome-windows-zero-day\/40191\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/chrome-windows-zero-day\/17104\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/chrome-windows-zero-day\/17609\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/chrome-windows-zero-day\/14905\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/chrome-windows-zero-day\/26918\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/chrome-windows-zero-day\/27149\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/chrome-windows-zero-day\/24006\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/chrome-windows-zero-day\/29322\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/chrome-windows-zero-day\/29126\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/guvenlik-aciklari\/","name":"g\u00fcvenlik a\u00e7\u0131klar\u0131"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/9728","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/700"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=9728"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/9728\/revisions"}],"predecessor-version":[{"id":9731,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/9728\/revisions\/9731"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/9729"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=9728"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=9728"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=9728"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}