Compromise of Notepad++ Infrastructure Alerts Users to Cybersecurity Vulnerabilities
In a significant breach of security, the update infrastructure for Notepad++, a popular text editor for Windows, was reportedly compromised for six months by hackers believed to be affiliated with the Chinese government. Developers disclosed this alarming situation on Monday, revealing that the attackers utilized their access to distribute backdoored versions of the software to select targets.
The breach began in June, marked by an “infrastructure-level compromise” that enabled the attackers to intercept and misdirect update traffic intended for the official Notepad++ website. As a result, certain users were guided to malicious update servers, where they unwittingly received tainted versions of the application. Full control of the infrastructure was finally regained by Notepad++ in December.
Utilizing their foothold, the attackers deployed a sophisticated payload dubbed “Chrysalis,” described by cybersecurity firm Rapid7 as a custom backdoor characterized by comprehensive functionalities. The backdoor’s complexity indicates that it was designed as a permanent tool for ongoing attacks rather than a temporary utility.
Investigation into the incident revealed that the compromised update infrastructure remained under the attackers’ control until early September. Even after some remediation efforts, the hackers retained internal service credentials until December, allowing them to continue redirecting specific update traffic to their malicious servers. The threat actors specifically exploited vulnerabilities in older versions of Notepad++ that lacked robust update verification measures.
Independent cybersecurity researcher Kevin Beaumont noted that three organizations with interests in East Asia reported security incidents linked to Notepad++ installations on their networks. These incidents allowed the attackers direct control through a web-based interface, illustrating the advanced nature and potentially serious implications of the breach.
Beaumont’s prior analysis raised concerns about the Notepad++ Updater’s susceptibility to hijacking, particularly highlighted in a November update that aimed to enhance its security. The updater, known as GUP or WinGUP, retrieves updates from a file via a specified URL. An interception of this traffic could lead to unauthorized downloads, particularly if not adequately secured with HTTPS.
Even though the downloads were initially signed, earlier versions of Notepad++ used a self-signed root certificate that is publicly available, making the process less secure. With the advent of version 8.8.7, the software reverted to using a more protected GlobalSign certificate, yet concerns remained regarding the robustness of download integrity checks.
Beaumont’s working theory, postulated in December, has been validated following Notepad++’s advisory, underscoring the efficacy of his analysis in predicting the vulnerability. He also issued warnings about the proliferation of malicious Notepad++ extensions and the prevalence of trojanized versions of the software being advertised, heightening the risk for unwary users.
This incident underscores significant cybersecurity risks associated with widely-used software. Tactics from the MITRE ATT&CK framework such as initial access through exploitation of vulnerabilities, persistence via backdoor implementation, and credential dumping to maintain access appear to have been exhibited in this breach. Business owners must remain vigilant about potential similar vulnerabilities in their software ecosystems, ensuring the implementation of robust security measures to mitigate risks effectively.