Anthony Hove 🐬Feb 2
evacide
Notepad++ publishes a blog post saying they caught a probably-Chinese state actor hijacking their product in an attack against highly-selective targets that began last June: https://notepad-plus-plus.org/news/hijacked-incident-info-update/
Notepad++ Hijacked by State-Sponsored Hackers | Notepad++

Feb 2 at 6:18pmWeb
Show threadDB SchweinFeb 2

@evacide

@marfisk FYI

Show threadDan SchnauFeb 2
@evacide I vaguely remember reading about an attack like this on notepad++ many years ago. What a pain to be the target of this stuff!
Show threadslashFeb 2

@evacide It's ironic that my company blocks anything with that domain in it. Including the SMB share we're supposed to download it from...

In this case, I'm a sysadmin and won't be able to read and react to this because IT has it blocked.

These are the same people who allow access to the Daily Mail, but not The Guardian...

Show threadBredrollFeb 3
@agreeable_landfall @evacide omg what morons do you work for? how is the sabotage going?
Show threadslashFeb 3

@Bredroll @evacide LOL. It's a large company, and IT has always believed "all computers belong to us." So whenever a rule gets in the way, the answer is always, "We should take over management of that machine."

I run off-net systems, which are unique to the specific contract we are developing hardware and software for. So...they don't have the skills to manage that.

Even the DSS on-site guy thinks they are morons. ;)

That said, we *do* have people who are sharp. Just no one I've met.

Show threadJohn Carlsen 🇺🇸🇳🇱🇪🇺Feb 3

@agreeable_landfall

You remind me of a big company (~130k) that I had worked for about 15 years ago. In my department (R&D), we were pretty free to run whatever we liked, so most of us ran Linux. I recall going over to corporate IT for something and someone there asked "What's Linux?" (I must give some credit for at least asking.)

Show threadBodlingFeb 2

@evacide What we need to do comes at the end:

"I deeply apologize to all users affected by this hijacking. I recommand downloading v8.9.1 (which includes the relevant security enhancement) and running the installer to update your Notepad++ manually."

Show threadNoah BaileyFeb 2
@evacide seems like the baddies broke into the Wordpress admin panel or the host’s cpanel page. Not terribly sophisticated, but quite consequential. It’s always the small things that get missed and create a huge problem…
Show threadEeyore_SyndromeFeb 2

@evacide

I highly reccomend:
#KDE #Kate

https://apps.kde.org/kate/
https://kate-editor.org/

Even has a windows version.

Kate

Advanced text editor

KDE Applications
Show threadInaba  Feb 2
@Eeyore_Syndrome @evacide what about xterm + vi
Show threadJames KnausFeb 2
@evacide I love notepad++ it's my go to ide
Show threadGregFeb 2
@evacide this sort of thing has been on the rise for years, the hosting company should be publicized to reduce the incentive to side with bad actors
Show threadJohn Carlsen 🇺🇸🇳🇱🇪🇺Feb 3

@evacide

I learned a new term of art: "indicator of compromise" (IoC).

(Computer forensics is outside my area of expertise.)

https://en.wikipedia.org/wiki/Indicator_of_compromise

Indicator of compromise - Wikipedia

Show threadJohn Carlsen 🇺🇸🇳🇱🇪🇺Feb 3

@evacide

In the pages linked article at
https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/ the mention of "undocumented system calls" in Microsoft Windows should serve as a warning not to use Windows at all, as it clearly can't be trusted. The cited name of one of those calls ("NtQuerySystemInformation") amused me by evoking memories of using Windows NT circa 1996.

Apparently Microsoft hasn't been adequately compelled to improve its products in the last 30 years.

The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit

Rapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom.

Rapid7
Show threadjarinks5d ago
@evacide everything in tne supply chain is maintained thanklessly by a 60 year old from Nevada