Last Week in Security (LWiS) - 2025-05-12
SysAid RCE (@SinSinology + @watchtowrcyber), defendnot (@es3n1n), iOS widget hacks (@brycebostwick1), Sword of Secrets (@GiliYankovitch), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2025-05-05 to 2025-05-12.
News
- Using AI to stop tech support scams in Chrome - Google is now shipping an LLM inside of Chrome to determine if never before seen sites that have "specific triggers" like using the keyboard lock API are phishing pages. Only users with Enhanced Protection mode enabled send the LLM output to Google's Safe Browsing servers.
- Florida bill requiring encryption backdoors for social media accounts has failed - Stay vigilant. They'll be back.
- [YouTube] SpecterOps - SpecterOps Con 2025 (SO-CON) videos are now available!
- Sword of Secrets - A new open-source hardware CTF challenge - This upcoming hardware CTF looks promising. There is code already on GitHub.
- Microsoft now recommends disabling Secure Time Seeding - It seemed like a good idea to pull time data from SSL handshakes, but it turns out lots of implementations fill the time field with random data (i.e. OpenSSL) which can cause dates to swing wildly on Windows. This can cause serious issues with things like SQL servers. Ludus will disable STS on all windows templates in the next release.
Techniques and Write-ups
- Open-Source Toolset of an Ivanti CSA Attacker - The Ivanti hackers used some open source tooling like suo5, iox, and atexec-pro which Maxence Fossat and team have written some good detections for.
- Breaking the Sound Barrier Part I: Fuzzing CoreAudio with Mach Messages - Knowledge-driven fuzzing leds to a high impact bug in macOS.
- Exploit detail about CVE-2024-26809 - A nftables use after free exploit in Linux >= 6.1-rc1 and >= 5.15.54 allows for local privilege escalation. Exploit: Linux 6.1.79.
- How I ruined my vacation by reverse engineering WSC - @es3n1n is the author of no-defender which used an Avast antivirus binary to disable windows defender. Now they are back with a pure C++ version that doesn't require any external binaries.
- SysOwned, Your Friendly Support Ticket - SysAid On-Premise Pre-Auth RCE Chain (CVE-2025-2775 And Friends) - "disclosing vulnerability research that allowed us to gain pre-authenticated Remote Command Execution against yet another enterprise-targeting product - specifically, SysAid On-Premise." If I were an enterprise cybersecurity product team, I would just hire watchTowr to save myself the public posting of exploits at this point.
- One-Click RCE in ASUS’s Preinstalled Driver Software - Hell hath no fury like a curious hacker. The worst part is the ASUS WiFi still didn't work after all that.
- Fuzzing Windows Defender with loadlibrary in 2025 - Fuzzing Windows components with on Linux is still a bit of magic, but this post explored using AFLplusplus and honggfuzz along with a forked loadlibrary to make it work.
Tools and Exploits
- EvilentCoerce - A practical NTLM relay attack using the MS-EVEN RPC protocol and antivirus-assisted coercion.
- BOF-entra-authcode-flow - Beacon Object File (BOF) to obtain Entra tokens via authcode flow. Details in the blog post: Obtaining Microsoft Entra Refresh Tokens via Beacon.
- defendnot - An even funnier way to disable windows defender. (through WSC api).
- nyxppl - Windows Protected Process Light toggle tool — dynamically finds offsets and patches EPROCESS using RTCore64.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- AutoPwnKey - AutoPwnKey is a red teaming framework and testing tool using AutoHotKey (AHK), which at the time of creation proves to be quite evasive. It is our hope that this tool will be useful to red teams over the short term, while over the long term help AV/EDR vendors improve how they handle AHK scripts.
- [YouTube] Apple’s Widget Backdoor - Bryce is a hacker in the true sense of the word. "A hacker is a person skilled in information technology who achieves goals by non-standard means." He hacks with the clock and timer APIs as well as fonts to create fluid animations in widgets, which Apple doesn't allow, except for their own clock app of course. He's also a great presenter, even if you don't care about iOS widgets at all the video is entertaining and interesting. Code: WidgetAnimation - Proof of concept for Animated iOS Widgets using Public APIs.
- API-s-for-OSINT - List of API's for gathering information about phone numbers, addresses, domains etc.
- VMAware - VM detection library and tool.
- LsassHijackingViaReg - Injecting DLL into LSASS at boot.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.