Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Infrastructure providing updates Notepad++ — a widely used text editor for Windows — has been compromised for six months by suspected Chinese state hackers who used their control to deliver backdoor versions of the app to identify targets, the developers said Monday.
“I sincerely apologize to all users affected by this hijacking,” author A mail Published to the official notepad-plus-plus.org the website wrote on Monday. The post said the attack began last June “with an infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org.” The attackers, whom several investigators have linked to the Chinese government, selectively redirected some targeted users to malicious update servers where they received background updates. Notepad++ did not regain control of its infrastructure until December.
The attackers used their access to install a An unprecedented payload Which he called the cocoon. Security company Rapid 7 described it as a “customized, feature-rich backdoor.”
“The wide range of its capabilities suggests that it is a sophisticated and durable tool, rather than a simple, disposable tool,” the company’s researchers said.
Hands-on keyboard hacking training
Notepad++ said officials at the unnamed provider hosting the update infrastructure consulted with incident responders and found that it remained vulnerable as of September 2. Until then, the attackers retained internal services credentials until December 2, an ability that allowed them to continue redirecting selected update traffic to malicious servers. The threat actor “specifically targeted the Notepad++ domain with the aim of exploiting inadequate update checking controls that existed in older versions of Notepad++.” Incident logs indicate that hackers attempted to re-exploit one of the vulnerabilities after it was fixed, but the attempt failed.
According to independent researcher Kevin Beaumont, three organizations He told him That devices within their networks that had Notepad++ installed experienced “security incidents” that “resulted in the presence of keyboard threat actors,” meaning the hackers were able to take direct control using a web-based interface. Beaumont said the three organizations have interests in East Asia.
The researcher explained that his suspicions were raised when Notepad++ version 8.8.8 introduced bug fixes in mid-November to “enhance the Notepad++ updater from being hijacked to deliver something…not Notepad++.”
The update made changes to the dedicated Notepad++ updater known as GUP, or alternatively, WinGUP. The executable responsible for gup.exe reports the version in use to https://notepad-plus-plus.org/update/getDownloadUrl.php and then retrieves the update URL from a file called gup.xml. The file specified in the URL is downloaded to the device’s %TEMP% directory and then executed.
Beaumont wrote:
If you can intercept and change this traffic, you can redirect the download to any site where it appears by changing the URL on the site.
This traffic is supposed to be over HTTPS, but it looks like you might be (able to) tamper with the traffic if you were sitting at the ISP level and intercepting TLS. In previous versions of Notepad++, traffic was directly over HTTP.
The downloads themselves are signed, but some earlier versions of Notepad++ use a self-signed root certificate, which is on Github. With the previous version 8.8.7, this was reverted to GlobalSign. Effectively, there is a situation where the download is not strictly checked for any tampering.
Since traffic to notepad-plus-plus.org is fairly rare, it may be possible to sit within the ISP chain and be redirected to a different download. To do this at any scale requires a lot of resources.
Beaumont published his working theory in December, two months to the day before Monday’s Notepad++ consultation. Combined with the details provided in Notepad++, it is now clear that the hypothesis was correct.
Beaumont also warned that search engines are “inundated” with ads promoting Trojan versions of Notepad++, so much so that many users are unwittingly running it within their networks. A series of malicious Notepad++ extensions exacerbates the risks.