""I deeply apologize to all users affected by this hijacking," the author of a post published to the official notepad-plus-plus.org site wrote Monday. The post said that the attack began last June with an "infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org." The attackers, whom multiple investigators tied to the Chinese government, then selectively redirected certain targeted users to malicious update servers where they received backdoored updates."
"The attackers used their access to install a never-before-seen payload that has been dubbed Chrysalis. Security firm Rapid 7 described it as a "custom, feature-rich backdoor." "Its wide array of capabilities indicates it is a sophisticated and permanent tool, not a simple throwaway utility," company researchers said. Hands-On Keyboard Hacking Notepad++ said that officials with the unnamed provider hosting the update infrastructure consulted with incident responders and found that it remained compromised until September 2."
"Even then, the attackers maintained credentials to the internal services until December 2, a capability that allowed them to continue redirecting selected update traffic to malicious servers. The threat actor "specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++." Event logs indicate that the hackers tried to re-exploit one of the weaknesses after it was fixed but that the attempt failed."
Notepad++ update infrastructure was compromised beginning in June, allowing malicious actors to intercept and redirect update traffic to attacker-controlled servers. The hosting provider remained compromised until September 2, and attackers retained credentials to internal services until December 2, enabling continued selective redirection of updates. Targeted users received backdoored updates that installed a previously unseen payload dubbed Chrysalis. Security firm Rapid7 characterized Chrysalis as a custom, feature-rich backdoor with capabilities indicating a sophisticated, permanent tool. The threat actor specifically targeted insufficient update verification in older Notepad++ versions, and logs show a failed re-exploit attempt after a fix.
Read at WIRED
Unable to calculate read time
Collection
[
|
...
]