Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Notepad++ fixed updater bugs that allowed malicious update hijacking

Notepad++ addressed an updater vulnerability that allows attackers hijack update traffic due to weak file authentication. Notepad++ addressed a flaw in its updater that allowed attackers to hijack update traffic due to improper authentication of update files in earlier versions. The popular security researcher Kevin Beaumont first reported that several Notepad++ users faced security incidents. […]

Notepad++

Notepad++ addressed an updater vulnerability that allows attackers hijack update traffic due to weak file authentication.

Notepad++ addressed a flaw in its updater that allowed attackers to hijack update traffic due to improper authentication of update files in earlier versions.

The popular security researcher Kevin Beaumont first reported that several Notepad++ users faced security incidents. He later noted the attacks, targeting telecom and finance firms in East Asia, likely came from China. The expert also speculated that the attackers were exploiting a vulnerability in Notepad++.

“I’ve heard from 3 orgs now who’ve had security incidents on boxes with Notepad++ installed, where it appears Notepad++ processes have spawned the initial access. These have resulted in hands on keyboard threat actors.” wrote Beaumont.

In mid-November, Notepad++ released an update to harden its GUP/WinGUP updater after discovering it could be hijacked. GUP contacts a Notepad++ URL, retrieves gup.xml with the update download link, saves the file in %TEMP%, then executes it. If an attacker intercepts this traffic, previously HTTP, now HTTPS, but still interceptable at the ISP level, they can alter the <Location> field to deliver a malicious file.

Beaumont explained that although downloads are signed, older Notepad++ versions used a self-signed root certificate publicly available on GitHub, weakening validation. Because traffic to notepad-plus-plus.org is rare, ISP-level redirection is feasible for well-resourced actors.

Notepad++ 8.8.8 fixes the updater issue by forcing updates to download only from GitHub, making interception far harder.

“I’ve only talked to a small number of victims. They are orgs with interests in East Asia. Activity appears very targeted. Victims report hands on keyboard recon activity, with activity starting around two months ago.” continues Beaumont?

Signs of compromise include:

  • gup.exe contacting domains other than notepad-plus-plus.org, github.com, or release-assets.githubusercontent.com
  • gup.exe spawning unusual processes (it should only launch explorer.exe and legitimate, properly signed Notepad++ installers)
  • Suspicious files like update.exe or AutoUpdater.exe in %TEMP%
  • Use of curl.exe calling out to temp.sh for reconnaissance

However, is still unclear how attackers hijacked updater traffic in the wild. Beaumont speculates threat actors may have intercepted traffic at the ISP level to deliver malicious updates, though this would require substantial resources.

Notepad++ confirmed that its WinGUp updater was sometimes redirected to malicious servers, causing users to download compromised executables. The developers found a flaw in how the updater verified the authenticity and integrity of update files. If an attacker intercepted the traffic between the updater and Notepad++’s servers, they could force it to download and run a malicious binary instead of the legitimate update.

“The review of the reports led to identification of a weakness in the way the updater validates the integrity and authenticity of the downloaded update file.” reads the report published by the Notepad++. “In case an attacker is able to intercept the network traffic between the updater client and the Notepad++ update infrastructure, this weakness can be leveraged by an attacker to prompt the updater to download and executed an unwanted binary (instead of the legitimate Notepad++ update binary). To mitigate this weakness and address the hijacking’s concerns raised by the security researchers, a new security enhancement is being introduced in this release of Notepad++.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Notepad++)