Taipei, Taiwan – Cybersecurity firm Acronis has uncovered a targeted attack on Taiwanese drone manufacturers, known as Operation WordDrone. The attack, which exploited vulnerabilities in older versions of Microsoft Word and an ERP software used by the affected companies, has raised concerns about the security of supply chains in the technology sector.
Background on Operation WordDrone
Acronis, a global leader in cyber protection, reported that hackers initiated the Operation WordDrone attack between April and July 2024. The attackers utilized outdated Microsoft Word 2010 software to target Taiwanese drone manufacturers. The attack was carried out through a supply chain compromise, where the hackers exploited a vulnerability in the Digiwin ERP software used by the affected companies.
Attack Methodology
According to Acronis, the hackers modified the Update.exe file in the Digiwin ERP software to replace it with a malicious Word document. This allowed them to gain access to the victim organizations’ systems. The attackers then leveraged the CVE-2024-40521 vulnerability in the ERP software to further propagate the attack.
The Role of Digiwin ERP Software
Digiwin, the developer of the ERP software, has responded to the allegations, stating that their products do not contain the CVE-2024-40521 vulnerability. They also clarified that the reported vulnerability was related to a separate tool called DigiwinSCP, which is a connection tool used by Digiwin to assist enterprises. The company has taken steps to mitigate the risk by closing the original connection service and transitioning to alternative tools.
The Use of Malicious DLLs
The attackers used a malicious DLL library called wwlib.dll to download and execute additional malicious code. They also employed the Install.dll component to deploy a specific process as a service on the victim’s computer. This allowed them to maintain persistence on the affected systems.
The Use of EDRSilencer
The attackers also used a tool called EDRSilencer to disable well-known antivirus software and EDR solutions. This allowed them to evade detection and maintain their presence on the victim’s systems.
Response and Prevention
The Operation WordDrone attack has prompted the Taiwan Computer Network Emergency Response and Coordination Center (TWCERT/CC) to issue a warning about the attack. Organizations are advised to update their software to the latest versions, implement strong security measures, and be vigilant about suspicious activities on their networks.
Conclusion
The Operation WordDrone attack highlights the importance of cybersecurity in the technology sector. Organizations must remain vigilant and take proactive measures to protect their systems and supply chains. The incident serves as a reminder that no organization is immune to cyber threats, and continuous vigilance is essential to ensure the security of digital assets.
Views: 1