It used to be that being a ML (Malicious Linguist) in someones garage was the rage, now we got “Hackers with Chinese characteristics” smh
He added a link to a deep dive for the backdoor used in the attack.
https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
I’m so confused.
- It doesn’t say anything about “state-sponsored attackers” outside of the headline? What state? Why?
- Why is a Notepad app connecting to any servers or have credentials at all?
First of all, it says right in the blog post they believe it was a state-sponsored group in China:
Secondly, notepad++ is software. Software is not always written perfectly first go-round, so there may need to be updates made to the code. Rather than the developer going around to everyone’s houses with a USB stick, we make use of “the internet” to deliver those updates. For convenience, software updates are often automatic, with little to no user intervention required.
I hope that clears things up.
It wasn’t specifically notepad++ code, but a custom-written updater. That’s why it was connecting to the internet.
I mean, it is n++ code because the updater is part of the code base. They just didn’t have the connection to the update server hardened.
This was patched in like December, though.
