China-State Actors Compromised Notepad++ Update Infrastructure for Six Months

United States - Ekhbary News Agency

China-State Actors Compromised Notepad++ Update Infrastructure for Six Months

Suspected state-sponsored hackers with ties to China infiltrated the update infrastructure for Notepad++, a ubiquitous text editor for Windows, for an extended period of six months. During this time, malicious actors exploited their access to distribute compromised versions of the application to unsuspecting users. Developers of the popular software confirmed the breach on Monday, issuing a profound apology to all affected individuals.

The sophisticated attack, which began in June of the previous year, involved an "infrastructure-level compromise." This allowed the threat actors to intercept and redirect update traffic intended for the official notepad-plus-plus.org website. Investigators have linked the perpetrators to the Chinese government, highlighting the geopolitical implications of such cyber operations. The attackers then strategically rerouted specific, targeted users to malicious update servers, where they downloaded and installed versions of Notepad++ that had been tampered with to include malicious payloads.

Notepad++ developers only managed to regain full control over their compromised infrastructure in December, marking a lengthy six-month window during which the attackers operated undetected and with significant impact. The compromised infrastructure was managed by an unnamed third-party provider, which, according to incident responders, remained breached until September 2. Crucially, the attackers maintained access to internal services until December 2, enabling them to persistently redirect update traffic to their controlled servers.

The attackers specifically targeted the Notepad++ domain with the explicit goal of exploiting "insufficient update verification controls" present in older versions of the software. This indicates a well-researched and targeted operation rather than a broad, opportunistic attack. Security firm Rapid 7, which analyzed the incident, identified the payload delivered by the attackers as a previously unknown tool dubbed "Chrysalis." Researchers described Chrysalis as a "custom, feature-rich backdoor," noting that its extensive capabilities suggest it is a "sophisticated and permanent tool, not a simple throwaway utility." This level of sophistication underscores the advanced nature of the threat actors involved.

Event logs revealed that the hackers attempted to re-exploit identified weaknesses even after they were patched, though these subsequent attempts were unsuccessful. This persistence highlights the attackers' commitment to maintaining access and exploiting vulnerabilities.

Independent security researcher Kevin Beaumont played a crucial role in bringing attention to the potential risks. He reported that three organizations, all with interests in East Asia, experienced "security incidents" on devices running Notepad++. These incidents escalated to "hands-on keyboard threat actors," a term indicating that the attackers gained direct control over compromised systems through a web-based interface. Beaumont's suspicions were initially raised when Notepad++ version 8.8.8, released in mid-November, included bug fixes aimed at "hardening the Notepad++ Updater from being hijacked."

The update specifically addressed vulnerabilities in the Notepad++ updater, known as GUP (or WinGUP). The gup.exe executable is responsible for reporting the installed version to a specific URL and retrieving update information from a gup.xml file. The update file itself is then downloaded to the device's temporary directory and executed. The core vulnerability lay in the ability to intercept and modify this traffic, allowing attackers to redirect the download to malicious servers by altering the URL within the update process. While the traffic was intended to be secured over HTTPS, it appears that attackers could potentially tamper with it by intercepting traffic at the ISP level, especially if TLS interception was possible. Earlier versions of Notepad++ transmitted this traffic over unencrypted HTTP, making them even more susceptible.

Although the downloaded update files are digitally signed, earlier versions of Notepad++ utilized self-signed root certificates, which are more easily spoofed. This practice was reverted to using certificates from GlobalSign starting with version 8.8.7, but the window of vulnerability had already been exploited. The lack of robust verification mechanisms meant that the integrity of the downloaded updates was not adequately assured.

Beaumont theorized that because traffic to notepad-plus-plus.org is relatively infrequent, an attacker could position themselves within an Internet Service Provider (ISP) chain to redirect downloads. However, executing such an attack at scale would require significant resources. Beaumont published his findings in December, two months before the official advisory from Notepad++, and his hypothesis has now been largely validated by the developers' statements.

Adding to the concern, Beaumont also warned about the prevalence of malicious advertisements on search engines that promote trojanized versions of Notepad++. This practice leads many users to unknowingly install compromised software. Furthermore, a proliferation of malicious Notepad++ extensions exacerbates the overall risk landscape.

To mitigate these risks, developers strongly advise all users to ensure they are running the official version 8.8.8 or higher, installed directly from the official website. Since Beaumont's initial warnings, the recommended version has been updated to 8.9.1 or higher. For larger organizations managing Notepad++ deployments, security measures such as blocking access to notepad-plus-plus.org or restricting the internet access of the gup.exe and notepad++.exe processes are recommended. However, the developers acknowledge that these measures might be impractical or excessive for most organizations.

Users concerned about potential compromise can refer to the indicators of compromise detailed in the Rapid 7 analysis for investigation. The incident highlights the critical importance of software update security and the persistent threats posed by state-sponsored cyber actors. It also underscores the challenges faced by open-source projects, which often operate with limited resources despite their widespread reliance on the internet, making them potential targets for sophisticated adversaries.

Ekhbary News Agency