You must log in or register to comment.
I’m so confused.
- It doesn’t say anything about “state-sponsored attackers” outside of the headline? What state? Why?
- Why is a Notepad app connecting to any servers or have credentials at all?
First of all, it says right in the blog post they believe it was a state-sponsored group in China:
Secondly, notepad++ is software. Software is not always written perfectly first go-round, so there may need to be updates made to the code. Rather than the developer going around to everyone’s houses with a USB stick, we make use of “the internet” to deliver those updates. For convenience, software updates are often automatic, with little to no user intervention required.
I hope that clears things up.
It wasn’t specifically notepad++ code, but a custom-written updater. That’s why it was connecting to the internet.
I mean, it is n++ code because the updater is part of the code base. They just didn’t have the connection to the update server hardened.
This was patched in like December, though.
It used to be that being a ML (Malicious Linguist) in someones garage was the rage, now we got “Hackers with Chinese characteristics” smh
He added a link to a deep dive for the backdoor used in the attack.
https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
