Submitted 1 day ago by BrikoX@lemmy.zip to technology@lemmy.zip
Suspected China-state hackers used update infrastructure to deliver backdoored version.
The protection of dismissing the update dialogue because it appears at start up, which is when I need to get something done. I guess I’ll just manually update it from now on.
If you’re worried that this may have hit your PC I’d say first of all be aware that this is a state-level backdoor, intended to be persistent and evade detection. You are likely not the target and are very unlikely to find any teaf
Actions I’d suggest if you’re worried this could have hit your PC:
PS > winget upgrade - q Notepad++ (will show you available updates) PS > winget upgrade - q Notepad++ (
This doesn’t seem like this is an attack that should work.
How did this bypass signature verification, sure you can send a malicious update… but unless you have the package maintainer’s private keys you can’t sign it so it would be thrown out by the package manager?
The downloads themselves are signed—however some earlier versions of Notepad++ used a self signed root cert, which is on Github. With 8.8.7, the prior release, this was reverted to GlobalSign.
used a self signed root cert,
Oh, it’s Windows software.
All of this would have been easily avoided by its users if they had just listened to the enlightened and switched to vim
I’d rather never turn my computer on again and run away to live in the woods than use notepad++
Vim is chore to learn, most people just need simple notepad replacement when they are don’t need full IDE.
Vim is hardly an IDE unless you have added a shitload of plugins (which is fine if you want to do that, arguably a plus to have the option)
Notepad++ is way too bloated for a “simple notepad replacement” and often lacking when you need something more serious than that
Although I guess vim never shipped with malware, so I guess it’s lacking in that particular notepad++ feature
hal_5700X@sh.itjust.works 1 day ago
I think its unlikely most people were infected as the article makes it sound like they were focused on targeting specific individuals / orginizations.
The Rapid 7 post says if you have a hidden folder in “%AppData%” named Bluetooth. You got hacked. So if you have said folder, you’re good.
pulsewidth@lemmy.world 9 hours ago
This advice is not accurate:
Their post says that the Bluetooth hidden folder in AppData was only used as the initial access vector.
After initial access, an advanced persistent backdoor they’ve named “Chrysalis” is delivered and installed via significantly obfuscated methods to minimize chance of detection. The backdoor allows arbitrary code execution via a CMD.exe reverse shell, with additional modes for remote file write, read, and a full self-removal mechism that attempts to delete any trace it was ever on the system.
The Indicators of compromise section at the bottom contains a list of any files you can check for on your system, and their corresponding SHA-256 values, as well as network indicators if you have logging or wish to check your DNS cache. If you have any files that match or other indicators, then your system is/was compromised. But there is a very good chance that many systems which were compromised now have no remaining trace of breech.
rapid7.com/…/tr-chrysalis-backdoor-dive-into-lotu…