Kevin BeaumontDec 9

Notepad++ have released a new version to fix the auto update process being hijacked https://notepad-plus-plus.org/news/v889-released/

I reported the vulnerability, it is being hijacked by threat actors in China. https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9

Notepad++ v8.8.9 release: Vulnerability-fix | Notepad++

Show threadKevin BeaumontDec 9
I hadn’t put the full details in the blog at the time, but the Notepad++ updater didn’t check if the update package was valid in any way - it just executed it. Also the update process used TLS.. but didn’t validate the session, so it could be hijacked to change the download.
Show threadKevin BeaumontDec 9
I did have a thread on this at the time but I think it auto deleted, whoops. It was being used for entry into telcos and financial services in East Asia anyhoo.
Show threadKevin BeaumontDec 9

Impacted boxes have things like FatBeehive and other tools installed, there’s hunting guides in that blog.

Notepad++ author really good btw, quick turn around.

Show threadKevin BeaumontDec 9
Also, long time followers may remember this one playing out in real time over the last few weeks - I just tooted about it in Follower mode to stop threat intel companies scraping the toots 🤣
Show threadKevin BeaumontDec 9
And yes, this was (and is) a supply chain attack - just everybody was too busy wacking off about GenAI and react2shell to notice.
Show threadKevin BeaumontDec 10
Since making this thread yesterday the infrastructure appears to have gone AWOL and they've nuked the DNS entries on the C2s etc etc. They had access to a bunch of orgs for 5 months, if anybody interested.
Show threadKevin BeaumontDec 10
I consulted the official #GAYINT threat actor mapping chart and made this diagram for Notepad++ hack attribution
Show threadKevin BeaumontFeb 2

Notepad++ have today confirmed their auto process was compromised by Chinese nation state threat actors, in a supply chain hack: https://notepad-plus-plus.org/news/hijacked-incident-info-update/

This backs up my blog from late last year, with #GAYINT threat actor mapping to Funky Stamen.

The infrastructure and update mechanisms have since been tightened. For what it’s worth - entry was to telcos and financial services with interests aligned to China. Notepad++ dev did a great job treating issue seriously.

Notepad++ Hijacked by State-Sponsored Hackers | Notepad++

Show threadKevin BeaumontFeb 2

Here’s my original blog with threat hunting suggestions: https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9

Of note - the cyber industry entirely slept through it. A cartoon porg with #GAYINT threat intelligence had to blow it up.

Small numbers of Notepad++ users reporting security woes

Auto updates are fun.

Medium
Show threadRonnyTNLFeb 2
@GossiTheDog still no IOC's?
Show thread0xfedi
@RonnyTNL did you find anything? I only have AutoUpdater.exe as the IoC thus far. Working with limited budget so no CTI's...
Feb 2 at 2:55pmWeb
Show threadRonnyTNLFeb 2
@0x nope, there is way to much "AutoUpdater.exe" itw so unless there are hashes with is a goose chase.