Last Week in Security (LWiS) - 2021-03-29

Real APT discovery (@IgorBog61650384), a new heap exploitation technique (@Dooflin5), SAML injection (@NCCGroupInfosec), MemoryLoader IDA plugin (@RRBlackRussian), redacted PEM key recovery (@CryptoHack__), MirrorDump tool (@_EthicalChaos_), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-03-22 to 2021-03-29.



  • House of Mind - Fastbin Variant in 2021. This post (re)introduces GLibC heap exploitation method that works across all versions of the heap allocator and gives a write-what-where primitive. This is dense exploit development content.
  • APT Encounters of the Third Kind. Easily the best article of the week. Igor goes from noticing a discrepancy between his test setup and production pcap time vs packet counts to uncovering an in-memory only APT backdoor. If you are wondering what a real advanced persistent threat looks like, this is it.
  • SAML XML Injection. If you're testing an app with SSO abilities based on SAML, be sure to read this post.
  • PhishCatch: Detecting password reuse from the inside out. By hashing enterprise passwords and storing them locally, and hashing all passwords to compare, this Chrome extension can detect password reuse without compromising any credentials.
  • Recovering a full PEM Private Key when half of it is redacted. In just a few hours the wizards of the cryptohack Discord server managed to recover a RSA private key from a partially redacted screenshot. "Whether it’s a single bit leaking with Ladder Leak, or pieces of primes for a Coppersmith attack, partial information exposure of cryptographic private keys is often enough to totally break the crypto protocol. If you find something private, keep it that way."
  • Bypassing conditional access by faking device compliance.. This guide shows two different ways to make a device compliant in Microsoft InTune, even if you spoof it as a Commodore64.
  • Dumping LSASS in memory undetected using MirrorDump. Using boo and avoiding the classic dumping technique of calling OpenProcess, MirrorDump instead registers as a "legitimate" authentication provider with Windows and uses a handle to itself (lsass.exe) to do the dumping.

Tools and Exploits

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • graphtage is a command-line utility and underlying library for semantically comparing and merging tree-like structures, such as JSON, XML, HTML, YAML, plist, and CSS files. This is sure to be useful in a shell script at some point.

This post is cross-posted on SIXGEN's blog.