Kevin Beaumont

1 month ago (Received 3 hours ago)

Kevin Beaumont
1 month ago (Received 3 hours ago)

Notepad++ have released a new version to fix the auto update process being hijacked notepad-plus-plus.org/news/v88…

I reported the vulnerability, it is being hijacked by threat actors in China. doublepulsar.com/small-numbers…

Notepad++ v8.8.9 release: Vulnerability-fix | Notepad++

^{notepad-plus-plus.org}

Peter Vágner reshared this.

in reply to Kevin Beaumont

Kevin Beaumont

in reply to Kevin Beaumont 1 month ago (Received 3 hours ago)

I hadn’t put the full details in the blog at the time, but the Notepad++ updater didn’t check if the update package was valid in any way - it just executed it. Also the update process used TLS.. but didn’t validate the session, so it could be hijacked to change the download.

in reply to Kevin Beaumont

Kevin Beaumont

in reply to Kevin Beaumont 1 month ago (Received 3 hours ago)

I did have a thread on this at the time but I think it auto deleted, whoops. It was being used for entry into telcos and financial services in East Asia anyhoo.

in reply to Kevin Beaumont

Kevin Beaumont

in reply to Kevin Beaumont 1 month ago (Received 3 hours ago)

Impacted boxes have things like FatBeehive and other tools installed, there’s hunting guides in that blog.

Notepad++ author really good btw, quick turn around.

in reply to Kevin Beaumont

Kevin Beaumont

in reply to Kevin Beaumont 1 month ago (Received 3 hours ago)

Also, long time followers may remember this one playing out in real time over the last few weeks - I just tooted about it in Follower mode to stop threat intel companies scraping the toots 🤣

in reply to Kevin Beaumont

Kevin Beaumont

in reply to Kevin Beaumont 1 month ago (Received 3 hours ago)

And yes, this was (and is) a supply chain attack - just everybody was too busy wacking off about GenAI and react2shell to notice.

in reply to Kevin Beaumont

Kevin Beaumont

in reply to Kevin Beaumont 1 month ago (Received 3 hours ago)

Since making this thread yesterday the infrastructure appears to have gone AWOL and they've nuked the DNS entries on the C2s etc etc. They had access to a bunch of orgs for 5 months, if anybody interested.

This entry was edited (1 month ago)

in reply to Kevin Beaumont

Kevin Beaumont

in reply to Kevin Beaumont 1 month ago (Received 3 hours ago)

I consulted the official #GAYINT threat actor mapping chart and made this diagram for Notepad++ hack attribution

#gayint

in reply to Kevin Beaumont

Kevin Beaumont

in reply to Kevin Beaumont 3 hours ago

Notepad++ have today confirmed their auto process was compromised by Chinese nation state threat actors, in a supply chain hack: notepad-plus-plus.org/news/hij…

This backs up my blog from late last year, with #GAYINT threat actor mapping to Funky Stamen.

The infrastructure and update mechanisms have since been tightened. For what it’s worth - entry was to telcos and financial services with interests aligned to China. Notepad++ dev did a great job treating issue seriously.

Notepad++ Hijacked by State-Sponsored Hackers | Notepad++

^{notepad-plus-plus.org}

#gayint

reshared this

⇧

Kevin Beaumont 1 month ago (Received 3 hours ago) • •

Kevin Beaumont
1 month ago (Received 3 hours ago)