Last Week in Security (LWiS) - 2025-10-20
WhatchGuard RCE (@_mccaulay), BadSuccessor BOF (@_logangoins), ClubWPT hack (@samwcyo), MDE cloud vulns (@p0w1_), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2025-10-06 to 2025-10-20.
News
- Ring Expands Community Requests to Additional Community Safety Partners - The Amazon owned home security company is now integrating it's cameras with Flock Safety's "Nova" platform to enable dystopian levels of surveillance, sorry, a "public safety technology ecosystem." Security cameras are great, but not when they are used for mass surveillance. Norfolk Virginia has run over 200,000 searches in Flock Safety's system with no warrants or oversight. Run your own closed systems with UniFi or Frigate.
- [QQ] Technical Analysis Report on the Cyber Attack on the National Time Service Center by the U.S. National Security Agency - "Throughout this incident, the NSA demonstrated world-leading capabilities in tactical concepts, operational techniques, encrypted communications, and anti-virus evasion." None of the "evidence" (screenshots of encrypted traffic or disassembled code) point directly to the NSA, and the smoking gun seems to be that this intrusion used an implant with modules and encryption, similar to the alleged leaked NSA tooling from 2016, but also many other advanced implants.
- A major evolution of Apple Security Bounty, with the industry's top awards for the most advanced research - Apple is doubling the rewards for their bug bounty program. Hopefully this gets more exploit chains to Apple, and fewer to morally questionable governments.
- Support for Windows 10 ended on October 14, 2025. - Time to explore Linux! Ironic that International E-Waste Day was also October 14th.
Techniques and Write-ups
- yIKEs (WatchGuard Fireware OS IKEv2 Out-of-Bounds Write CVE-2025-9242) - At what point should a company start over if their enterprise security products lack security protections from 25 years ago?
- The (Near) Return of the King: Account Takeover Using the BadSuccessor Technique - Props to Logan for emphasizing this new technique, creating a BOF for it, and of course using Ludus to test and demonstrate it.
- Hacking the World Poker Tour: Inside ClubWPT Gold’s Back Office - Love a good "huh what is that URL?" to "full access to all customer data" journey.
- LinkPro: Ebpf Rootkit Analysis - Linux rootkits from threat actors are getting more advanced, but this one still uses LD_PRELOAD. Great analysis and diagrams of the complicated traffic flows by Théo.
- Weeding the Tradecraft Garden - Mudge is updating and expanding the Tradecraft Garden, which is now BSD licensed. The dynamic function resolution and optimizations along with mergelib make your position independent code easier to write. We're starting to see tooling based on the garden released by others!
- Exploit Development: Unveiling Windows ARM64 Pointer Authentication (PAC) - Not sure how often Windows ARM64 is seen in the wild, but Connor is always pushing the envelope with his research.
- Analyzing and Breaking Defender for Endpoint's Cloud Communication - Good insight into how Defender for Endpoint's cloud communication works, but it's going to be difficult to use operationally as getting to a point where you can modify the certificate validation of MsSense.exe probably would have caused some alarms. However, the ability to query the cloud for exclusions is very useful and unpatched.
- BYOVD to the next level (part 2) — rootkit like it's 2025 - "See how an attacker can abuse R/W primitives to manually map their own unsigned driver and completely bypass Driver Signature Enforcement (DSE)."
- macOS Shortcuts for Initial Access - Not a lot of initial access techniques for macOS. This one has a lot of clicks, but get code execution.
Tools and Exploits
- Butler - GitHub Actions Oversight.
- execute-assembly-pico - A PICO for Crystal Palace that implements CLR hosting to execute a .NET assembly in memory.
- Crystal-Kit - This repo is a technical and social experiment to see if replacing Cobalt Strike's evasion primitives (Sleepmask/BeaconGate) with Crystal Palace PIC(O)s is feasible (or even desirable) for advanced evasion scenarios.
- LibTP - Crystal Palace library for proxying Nt API calls via the Threadpool.
- BadTakeover-BOF - Beacon Object File (BOF) for Using the BadSuccessor Technique for Account Takeover.
- InlineExecuteEx - A BOF that's a BOF Loader.
- PingOneHound - Six Degrees of Organization Admin. See PingOne Attack Paths for all the details.
- DetonatorAgent - Detonate malware on VMs and get logs & detection status.
- surveyor - Advanced Windows kernel analysis and system profiling tool. Provides comprehensive visibility into kernel callbacks, ETW sessions, driver analysis, and system state through both userland APIs and optional kernel driver integration.
- krakenhashes - KrakenHashes is a distributed password cracking system designed for security professionals and red teams.
- Singularity - Linux Kernel Rootkit for modern kernels (6x).
- CVE-2025-24990_POC - Proof of Concept CVE-2025-24990 (Agere Systems's driver).
- Aether - Self-mutating macOS implant.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- caddy-c2 - Caddy v2 module to filter requests based on C2 profiles.
- vnt - A simple and efficient remote networking and intranet penetration tool. Use with vnts.
- GraphPreConsentExplorer - A comprehensive list of usable Entra ID first-party clients with pre-consented Microsoft Graph scopes, in a simple YAML-file explorable with a simple HTML GUI.
- [PDF] Don’t Look Up: There Are Sensitive Internal Links in the Clear on GEO Satellites - "We observed unencrypted cellular backhaul traffic from several providers including cleartext call and text contents, job scheduling and industrial control systems for utility infrastructure, military asset tracking, inventory management for global retail stores, and in-flight wifi."
- Tunneling WireGuard over HTTPS using Wstunnel - I could see this being useful for bypassing firewalls or deep packet inspection.
- nylon - Dynamic Routing on WireGuard for everyone.
- [YouTube] It's Not Just You - The iOS Keyboard is Broken - Something strange is going on with input/animation vs output. Another theory is the swipe to type feature, but disabling that also doesn't fix the issue.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.