Feb 10 2025 Last Week in Security (LWiS) - 2025-02-10

Mythic C#/BOF support (@its_a_feature_), Ludus guide (@sherif_ninja), Window shadow stacks (@33y0re), Orbit scanner (@BHinfoSecurity), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2025-01-27 to 2025-02-10.

News

A 25-Year-Old Is Writing Backdoors Into The Treasury’s $6 Trillion Payment System. What Could Possibly Go Wrong? - After spending years complying with strict government cybersecurity regulations as a contractor, this feels like a slap in the face. It has been ordered to stop by a court, but what Treasury and DOJ mean by ‘read-only’ access is in question. Good thing Marko Elez has the YOLO badge on GitHub. Another DOGE employee seemingly has a history of cybercrime.
Apple ordered to open encrypted user accounts globally to UK spying - While it's not unusual for a country to force tech companies to hand over information on their citizens (i.e. USA, China, etc), the UK is demanding data on anyone that has an Apple/iCloud account. It will be interesting to see Apple's reaction, although there are gag orders so it may take another leak to find out what happens. Now is just as good a time as any to turn on Advanced Data Protection for iCloud.
Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence - The issue with easy to use package systems is... the malware. The difference between boltdb-go/bolt and boltdb/bolt is an infected machine. The unique structure of the Go package cache made this really difficult to spot unless you downloaded the package from the proxy - the backing GitHub repo was clean.
Cloudflare incident on February 6, 2025 - A simple abuse report led to the accidental takedown of the global R2 (file storage) gateway for an hour. Oops. All major tech companies have these outages, but Cloudflare has a great history of transparency.

Techniques and Write-ups

Forging a Better Operator Quality of Life - The Mythic C2 platform has introduced a way to easily use C# assemblies and Cobalt Strike Beacon Object Files (BOFs) with Mythic agents. If you're building a custom C2, consider only writing an agent and letting Mythic handle all the backend C2 for you.
Llama's Paradox - Delving deep into Llama.cpp and exploiting Llama.cpp's Heap Maze, from Heap-Overflow to Remote-Code Execution. - Ever wondered what a modern heap overflow to RCE exploit looks like on Linux? Well, here is the best example I have seen!
Build Your Own Offensive Security Lab A Step-by-Step Guide with Ludus - A great write up that covers not only the basics of Ludus but also some advanced tricks!
Exploit Development: Investigating Kernel Mode Shadow Stacks on Windows - The king of long form technical articles is back! In this one, Connor explores the low level Intel's Control-Flow Enforcement Technology (CET) in Window's secure kernel. Side note, Prelude has made some interesting hires recently - first Matt Hand, now Connor McGarr... what are they cooking?
8 Million Requests Later, We Made The SolarWinds Supply Chain Attack Look Amateur - The gang and watchTowr do it again. Registering abandoned S3 buckets leds to epic amounts of potential compromise. Imagine if a ransomware crew did this instead of a well-natured cybersecurity company.
Mali-cious Intent: Exploiting GPU Vulnerabilities (CVE-2022-22706 / CVE-2021-39793) - I don't have the stats to back this up, but it feels like the Mali GPUs of Android phones are the source of a lot of serious Android exploits.
Endless Exploits: The Saga of a macOS Vulnerability Struck Nine Times - Security is hard. It took 9 patches to finally stop the exploitation of PackageKit bugs (some patches introduced new bugs!).
The Key to COMpromise - Abusing a TOCTOU race to gain SYSTEM, Part 2 - Some advanced COM hijacking against AVG Internet Security to gain SYSTEM privileges.
Further Adventures With CMPivot — Client Coercion - How CMPivot, a component of Microsoft Configuration Manager, can be exploited to coerce SMB authentication from client machines. This could equate to privilege escalation opportunities in an SCCM/ConfigMgr environment.
Bring Your Own Trusted Binary (BYOTB) – BSides Edition - Basically sprinkle some signed alternatives to ligolo-ng on your next engagement.

Tools and Exploits

tspatch.c - "Tired of using ts::multirdp, because Mimikatz is a nogo nowadays and get's flagged anyway most of the time? Well, here is a standalone patching implementation with Win11 support"
lolc2.github.io is a collection of C2 frameworks that leverage legitimate services to evade detection.
pool_party_rs - This tool is a remote process injection uses techniques described in The Pool Party You Will Never Forget and found in PoolParty.
bloudstrike - Linux CS bypass technique.
raccoon - a C# tool for extending the screenshot functionality of Command and Control (C2) frameworks. The tool was developed to take targeted screenshots of processes even if their window is minimised. Check out the original blog .
Stifle - .NET Post-Exploitation Utility for Abusing Explicit Certificate Mappings in ADCS.
StringReaper - Reaping treasures from strings in remote processes memory.
ScreenshotBOF - An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot downloaded in memory.
CVE-2024-38143 - Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability.
orbit - Orbit is a powerful platform designed to facilitate large-scale Nuclei scans, enabling teams to efficiently manage and analyze scan results.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

BloodHoundViewer - BloodHound CE Enhancement Extension - A Chrome extension that enhances BloodHound Community Edition with additional features including query history navigation, improved layout controls, and Neo4j button.
ludus_caldera_server - Ansible role to install a CALDERA server for LUDUS.
ludus_caldera_agent - Ansible role to install a CALDERA agent for LUDUS.
ludus_aurora_agent - Ludus role to install Free windows EDR Aurora.
ludus-ad-vulns - Ludus role that adds vulnerabilities in an Active Directory.
AzureRedirector - A C# project that builds a Web Applciation which redirects all HTTPS.
OSX-PROXMOX - Voilà, install macOS on ANY Computer! This is really and magic easiest way!.
caReports - Conditional Access Reporting.
doom-captcha - A DOOM®-based CAPTCHA for the web.
well-architected-iac-analyzer - Well-Architected Infrastructure as Code (IaC) Analyzer is a project that demonstrates how generative AI can be used to evaluate infrastructure code for alignment with best practices.
Vergilius - Take a look into the depths of Windows kernels and reveal more than 60,000 undocumented structures.
The Company Portal app – A deep dive into bridges - Thorough explanation on how Microsoft's Company Portal app uses two bridge components - ConfigMgr Bridge and Intune Management Extension Bridge - to handle application installations and device management functions in Windows.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.