Relevant:
https://notepad-plus-plus.org/news/hijacked-incident-info-update/
Are most people just updating Notepad++ to 8.9.1?
1 Like
Yup, in our org. team is working towards upgrading notepad++ and removing any manual installations to avoid the risk.
1 Like
We do have this fixlet available in updates for windows applications: Notepad++ (x64) 8.9.1 Available
Any device that had notepad++ installed should probably be investigated for indicators of compromise (IoCs), but updating it a good first step.
It also seems like a good idea to turn off the Notepad++ auto update, but also if that is on, that means the system was more exposed.
Related:
2 Likes
It seemed to me that the vulnerability only affected the internal auto-update process from the application itself. If you used external downloads, winget, or other sources, the issue didn't occur. I created an analysis with the IOC's from the rapid7 and orca security sources as well as added the IOCs to Defender ATP to try and ensure we didn't see any within our environment but the recommendation I saw was to uninstall and re-install to ensure any relics were removed, but if you don't have any vulnerable devices then I believe it should be ok to upgrade.
4 Likes
Can you share that here or on BigFixMe?
We are considering sharing content that runs this checker tool: GitHub - nHunter0/Notepad-vulnerability-checker
3 Likes
We have posted content for doing Notepad++ IoC checks. A fixlet and analysis. They are available here: content/solutions/notepad_plus_plus at master · bigfix/content · GitHub
This also does a basic check for Notepad++ installs in the analysis.
This is not based upon this script: GitHub - nHunter0/Notepad-vulnerability-checker
and is instead something developed internally by one of our team members.
1 Like
I completely missed that you asked me to share what I had in my analysis. I was primarily looking for network traffic in the IOCs and the existence of the files created during the notepad++ vulnerability that don't exist under normal circumstances. I hadn't started looking at the hashes yes, but rather just the existence of the files which isn't complete. I was looking at programdata primarily because of the conf.c artifacts in USOShared listed in the Rapid7 article.
if exists sockets whose ( tcp of it AND exists tcp state of it AND established of tcp state of it AND exists remote address of it AND set of ("95.179.213.0"; "61.4.102.97"; "59.110.7.32"; "124.222.137.114") contains (remote address of it as string) ) of network then concatenations ", " of ( (remote address of it as string) & ":" & (remote port of it as string) & " (State: " & (tcp state of it as string) & ", Process: " & name of process of it & ", PID: " & (id of process of it as string) & ")" ) of sockets whose ( tcp of it AND exists tcp state of it AND established of tcp state of it AND exists remote address of it AND set of ("95.179.213.0"; "61.4.102.97"; "59.110.7.32"; "124.222.137.114") contains (remote address of it as string) ) of network else "No matching established C2 connections found"
IF (exists (find files ("update.exe";"log.dll";"BluetoothService.exe";"BluetoothService*";"*.nsi";"u.bat";"conf.c";"libtcc.dll") of (it) of (folders ("\programdata"; "\programdata\USOShared") of root folders of drives)) ) Then ((Pathnames of it, Parent folder of it, creation time of it, modification time of it, size of it, Sha256 of it) of find files ("update.exe";"log.dll";"BluetoothService.exe";"BluetoothService*";"*.nsi";"u.bat";"conf.c";"libtcc.dll") of (it) of (folders ("\programdata"; "\programdata\USOShared")of root folders of drives )as string) Else "No Files Found"
if(exists (find files ("AutoUpdater.exe";"update.exe";"log.dll";"BluetoothService.exe";"BluetoothService*";"*.nsi";"u.bat";"conf.c";"libtcc.dll") of (it) of (folders ("appdata\local\temp"; "\appdata\Local";"appdata\Roam";"appdata\locallow"; names of folders of folders "appdata\local" of it;names of folders of it) of folders of Folder "Users" of root folders of drives))) then ( (Pathnames of it, Parent folder of it, creation time of it, modification time of it, size of it, sha256 of it) of (find files ("AutoUpdater.exe";"update.exe";"log.dll";"BluetoothService.exe";"BluetoothService*";"*.nsi";"u.bat";"conf.c";"libtcc.dll") of (it) of (folders ("appdata\local\temp"; "\appdata\Local";"appdata\Roam";"appdata\locallow"; names of folders of folders "appdata\local" of it) of folders of Folder "Users" of root folders of drives)) as string ) Else "No Files Found"
2 Likes
I added a variation of what you posted here to the analysis here: content/solutions/notepad_plus_plus at master · bigfix/content · GitHub
I made some simplifications to the relevance.
2 Likes