Six-Month Breach Exposes Millions to Sophisticated Backdoor
A major cybersecurity incident has come to light, revealing that the update infrastructure for Notepad++, a widely popular text editor for Windows, was compromised for a staggering six months. Developers confirmed on Monday that suspected China-state hackers exploited this control to deliver backdoored versions of the application to targeted users.
The author of a post on the official notepad-plus-plus.org site issued a deep apology, stating, “I deeply apologize to all users affected by this hijacking.” The breach, which began in June, involved an “infrastructure-level compromise” allowing malicious actors to intercept and redirect update traffic. Attackers, linked to the Chinese government by multiple investigators, then selectively steered specific users to malicious update servers where compromised versions of Notepad++ were delivered. Control of the infrastructure was not fully regained until December.
Chrysalis: A Feature-Rich Backdoor Uncovered
During their prolonged access, the attackers deployed a novel payload dubbed ‘Chrysalis.’ Security firm Rapid 7 characterized it as a “custom, feature-rich backdoor,” highlighting its advanced capabilities. Researchers noted, “Its wide array of capabilities indicates it is a sophisticated and permanent tool, not a simple throwaway utility,” underscoring the serious nature of the threat.
“Hands-On Keyboard” Attacks and Targeted Organizations
Notepad++ revealed that the unnamed provider hosting the update infrastructure remained compromised until September 2. Even after this, attackers retained credentials to internal services until December 2, enabling continued redirection of update traffic. The threat actor specifically targeted Notepad++’s domain, exploiting insufficient update verification controls in older versions of the software. While attempts to re-exploit fixed weaknesses failed, the initial compromise was extensive.
Independent researcher Kevin Beaumont reported that three organizations confirmed “security incidents” on devices running Notepad++ within their networks. These incidents led to “hands-on keyboard threat actors,” meaning hackers achieved direct control via web-based interfaces. Significantly, all three organizations have strategic interests in East Asia, suggesting a targeted campaign.
Understanding the Vulnerability: The GUP Updater
Beaumont’s suspicions were first raised in mid-November when Notepad++ version 8.8.8 introduced fixes to “harden the Notepad++ Updater from being hijacked.” This update addressed vulnerabilities in the bespoke updater, known as GUP or WinGUP.
The `gup.exe` executable reports the current version to a server and retrieves an update URL from a `gup.xml` file. The file specified in this URL is then downloaded to the device’s temporary directory and executed. Beaumont explained that intercepting and altering this traffic allows an attacker to redirect downloads to any location by changing the URL property.
While traffic is typically over HTTPS, it appears tampering was possible at the ISP level via TLS interception. Crucially, earlier Notepad++ versions used unencrypted HTTP for update traffic. Furthermore, although downloads are signed, some older versions relied on a self-signed root certificate, which was later reverted to GlobalSign in version 8.8.7. This created a scenario where download integrity checks were not robust, making the system susceptible to tampering, especially given the relatively rare nature of traffic to notepad-plus-plus.org, which could be exploited by well-resourced attackers within the ISP chain.
Urgent Recommendations for All Users
Beaumont had published his working theory in December, two months before Notepad++’s official advisory, a hypothesis now confirmed by the developer’s details. He also warned of the proliferation of trojanized Notepad++ versions pushed through search engine advertisements and malicious extensions, compounding the risk for unsuspecting users.
Initially, Beaumont advised users to ensure they were running official version 8.8.8 or higher, installed manually from notepad-plus-plus.org. Notepad++ developers have since updated this recommendation, urging all users to upgrade to **version 8.9.1 or higher** immediately.
For larger organizations, additional measures are recommended: consider blocking `notepad-plus-plus.org` or preventing the `gup.exe` process from accessing the internet. Blocking internet access for the `notepad++.exe` process is also an option, though cautioned as potentially “overkill and not practical” for most, unless robust monitoring for extensions is in place.
Users concerned about potential targeting should consult the indicators of compromise provided in the Rapid 7 post for further investigation.
For more details, visit our website.
Source: Link
Leave a comment