Last Week in Security (LWiS) - 2025-02-25
ADIDNS Parser (@the_bit_diddler), Parallels LPE (@patch1t), PowerChell (@itm4n), SACL Scanner (Alexander DeMine of @SpecterOps), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2025-02-17 to 2025-02-25.
News
- Apple pulls data protection tool after UK government security row - There were leaks, but now it's official. Apple is, “gravely disappointed” to have to remove Advanced Data Protection (ADP) from UK users. While the orders are still secret, having to disable fully end-to-end encryption for data gives you can idea of what the UK government is after - the ability to collect data on any UK iCloud user whenever they want. Critically, iOS backups are not end-to-end encrypted under "standard protection," allowing those with access to the keys on Apple's servers to pull a full backup of all data on an iOS device that has been backed up to the cloud.
- Crypto exchange Bybit confirms hack as over $1.4 billion worth of ETH leaves wallets - We will likely never get a detailed post-mortem, but it looks like an extremely well done attack that involved malware infection and UI manipulation.
- Top 25 Cyber Security Newsletters — 2025 - LWiS made the list!
Techniques and Write-ups
- An inside look at NSA (Equation Group) TTPs from China’s lense - Research by @inversecos on why China has attributed Northwestern Polytechnical University (Chinese University) breach to the U.S. National Security Agency (NSA). "It is important to note that the authenticity and extent of these allegations remain unverified by independent sources." A key observation from the Chinese case notes was the extensive use of big data analysis, particularly in tracking “hands-on keyboard” activity.
- containerd socket exploitation part 1 and part 2 - Part 1 explains how to exploit the containerd socket using the ctr command-line tool for lateral movement or privilege escalation in containerized environments, while Part 2 delves into more complex techniques using curl when the ctr tool isn't available.
- SSRF on Sliver C2 teamserver via spoofed implant callback (CVE-2025-27090) - Cool find. The POC can be found here. Don't expose those teamservers!
- Don’t Touch That Object! Finding SACL Tripwires During Red Team Ops - With deception technologies becoming pretty standard in mature environments, red teamers are incorporating them into their SOPs. New tool drop as well (SACL_Scanner)!
- LSA Secrets: revisiting secretsdump - If the old faithful secretsdump.py is getting caught, give regsecrets and dpapidump a shot!
- Uncovering Apple Vulnerabilities: diskarbitrationd and storagekitd Audit Part 3 - The final post of a 3-part series on how attackers can weaponize mount based vulnerabilities.
- Dropping a 0 day: Parallels Desktop Repack Root Privilege Escalation - Unfortunate that despite good faith disclosure this has to be dropped as an 0day.
- How to Backdoor Large Language Models - "In this article, I want to explain why relying on “untrusted” models can still be risky, and why open-source won’t always guarantee safety. To illustrate, I built my own backdoored LLM called 'BadSeek.'"
- Reinventing PowerShell in C/C++ - Some really great research into writing a custom powershell console that evades pretty much every protection around powershell. Check out PowerChell - A PowerShell console in C/C++ with all the security features disabled.
Tools and Exploits
- ADIDNS_Parser - Parser and reconciliation tooling for large Active Directory environments.
- DitExplorer - Tool for viewing NTDS.dit. Read more: Exploring NTDS.dit – Part 1: Cracking the Surface with DIT Explorer.
- CVE-2025-24016 - CVE-2025-24016: Wazuh Unsafe Deserialization Remote Code Execution (RCE).
- SACL_Scanner - SACL Scanner is a tool designed to scan and analyze SACLs.
- implant.js - Proof-of-concept modular implant platform leveraging v8.
- msftrecon - MSFTRecon is a reconnaissance tool designed for red teamers and security professionals to map Microsoft 365 and Azure tenant infrastructure. It performs comprehensive enumeration without requiring authentication, helping identify potential security misconfigurations and attack vectors.
- SignalKeyBOF - BOF to decrypt Signal Desktop chat logs.
- SoaPy - SoaPy is a Proof of Concept (PoC) tool for conducting offensive interaction with Active Directory Web Services (ADWS) from Linux hosts.
- keycred - Generate and Manage KeyCredentialLinks.
- sonicrack - Decrypt encrypted SonicOSX firmware images.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- susinternals - psexecsvc - a python implementation of PSExec's native service implementation.
- Nuclei AI Prompts - "Enhance your security testing with AI-powered Nuclei prompts."
- WhoYouCalling - Records an executable's network activity into a Full Packet Capture file (.pcap) and much more.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.