Urgent: Notepad++ Users, Check for Hacks Now
▼ Summary
– The Notepad++ update infrastructure was compromised for six months by suspected Chinese state hackers, who delivered backdoored versions of the app to select targets.
– The attack began in June, allowing the hackers to intercept and redirect update traffic, and the developers did not regain full control until December.
– The hackers specifically targeted the Notepad++ domain to exploit insufficient update verification controls in older versions of the software.
– According to a researcher, three organizations with interests in East Asia reported that compromised Notepad++ installations led to “hands on keyboard” incidents where attackers took direct control.
– Notepad++ version 8.8.8 was released in November to harden the updater against hijacking, fixing the method by which updates were retrieved and executed.
Users of the popular Windows text editor Notepad++ are being urged to verify their installations immediately following a serious security breach. Developers confirmed that the platform’s update infrastructure was compromised for half a year by sophisticated hackers, believed to be linked to the Chinese state. These attackers used their access to deliver malicious, backdoored versions of the software to a select group of users.
The author of a post on the official Notepad++ website issued a profound apology to all affected individuals. The statement explained that the attack commenced in June, involving an infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic. Multiple investigators have connected these activities to threat groups associated with the Chinese government. The hackers selectively rerouted specific, targeted users to servers under their control, where they received tampered updates instead of legitimate ones. Full control of the infrastructure was not regained until December.
The hosting provider for the update systems, which remains unnamed, worked with incident responders. They discovered the infrastructure remained actively compromised until September 2. Even after that date, the attackers retained access credentials to internal services until December 2. This persistent access enabled them to continue redirecting chosen update traffic to their malicious servers. The threat actor specifically targeted the Notepad++ domain with the goal of exploiting insufficient update verification controls present in older software versions. Event logs show the hackers attempted to re-exploit one of these vulnerabilities after it was patched, but that subsequent effort was unsuccessful.
Independent security researcher Kevin Beaumont reported that three separate organizations contacted him with concerning information. These entities, all with interests in East Asia, stated that devices on their networks running Notepad++ had experienced security incidents. These events resulted in hands on keyboard threat actors, meaning the intruders gained direct, real-time control of the compromised systems through a web-based interface.
Beaumont noted his suspicions were initially raised in mid-November when Notepad++ released version 8.8.8. This update included critical bug fixes designed to harden the Notepad++ Updater from being hijacked. The patch made significant changes to a custom updater component known as GUP, or WinGUP. This `gup.exe` executable functions by reporting the current software version to a specific URL on the Notepad++ domain. It then retrieves a download link from a file named `gup.xml`. The file from that link is downloaded to the device’s temporary directory and executed, a process the attackers manipulated during their campaign.
(Source: Ars Technica)
