Mar 17 2025 Last Week in Security (LWiS) - 2025-03-17

News

• Evilginx Pro is finally here! - The best credential phishing kit introduces a Pro version. If you're a professional red team, this should be part of your tooling.
• Cobalt Strike 4.11: Shhhhhh, Beacon is Sleeping.... - A novel sleepmask, novel process injection technique, new out-of-the-box obfuscation options for Beacon, asynchronous BOFs, and a DNS over HTTPS (DoH) Beacon. The option to disable auto scrolling in the console window may be the most welcome addition though.
• Password reuse is rampant: nearly half of observed user logins are compromised - No surprise here. The odds of your universal password being "stuffed" is much higher than a hacker exfiltrating your password manager database which is why we continue to push password managers and multi-factor authentication (hardware tokens are best).
• AI-Assisted Fake GitHub Repositories Fuel SmartLoader and LummaStealer Distribution - Fake GitHub repositories are looking more and more legitimate thanks to "AI." This campaign was using game cheats and cracked software, but are your assessors checking their latest tools/exploits from GitHub for malware (or worse)? Testing in a safe but representative environment (using Ludus) before your customer's production network should be mandatory.
• GSMA RCS Universal Profile 3.0 specifications - End to end encryption is coming to cross-platform messaging (Android <-> Apple) by default soon. More encryption is always a good thing.
• Android's Linux Terminal app is now widely available on Pixels, and here's how to get it - You can now run a Debian virtual machine on your Pixel smartphone as a built in feature of Android.
• Lawsuit Alleges $12 Billion "Unicorn" Deel Cultivated Spy, Orchestrated Long-Running Trade-Secret Theft & Corporate Espionage Against Competitor - Some serious insider threat allegations. The [PDF] complaint is worth a read, bravo to the Rippling General Counsel for signing off on this and the security team for pulling it off (see paragraph #93+).

Techniques and Write-ups

• Sign in as anyone: Bypassing SAML SSO authentication with parser differentials - SAML has always been a difficult protocol. ruby-saml (used in popular Ruby based projects like GitLab) uses two different XML parsers and by exploiting differences in how they process XML an attacker in possession of a valid signed assertion for any user can fabricate assertions and impersonate any other user.
• Beyond the Hook: A Technical Deep Dive into Modern Phishing Methodologies - From Evilginx to Modlishka, to browser-in-the-browser, to noVNC, and webRTC, this is probably the most comprehensive post on modern phishing techniques I've seen.
• CVE-2025-25599: A Cautionary Tale of Insecure Temporary Files - A classic insecure use of temporary files. Time it right, and you can read any file the webserver has access to - think configs with passwords, etc.
• Harden-Runner detection: tj-actions/changed-files action is compromised - GitHub actions are now part of the software supply chain and are being targeted.
• GOAD - part 14 - ADCS 5/7/9/10/11/13/14/15 - Get hands on an exploit 8 more Active Directory Certificate Services vulnerabilities. You can set up a vulnerable environment with GOAD or in Ludus with ludus_adcs. Exchange - Part 1 - no creds just dropped today as well.
• Disclosing YouTube Creator Emails for a $20k Bounty - A creative path to leak the notification email of any YouTube partner with some protobuff tricks and deep knowledge of the Youtube API.
• Bypassing Authentication Like It’s The ‘90s - Pre-Auth RCE Chain(s) in Kentico Xperience CMS - A content management system built on Microsoft Web Services Enhancement 3.0 has many flaws. Since this is watchTowr, you know the post is going to be both entertaining and ruthless.

Tools and Exploits

• Xenon - A Mythic agent for Windows written in C. Read about the development here.
• ludus_mythic_teamserver - Ludus role for deploying a Mythic Teamserver onto Linux servers.
• truffleshow - A simple web viewer for TruffleHog JSON output.
• checkm8 - bypassing intel txt's tboot integrity checks via coreboot shim.
• SSH-Stealer - Smart keylogging capability to steal SSH Credentials including password & Private Key.
• DSViper is a powerful tool designed to bypass Windows Defender's security mechanisms, enabling seamless execution of payloads on Windows systems without triggering security alerts. [Debatable - methods seem pretty simple and it's pretty sketchy to download the C++ files from github instead of package them in the repo]

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• The Security Conversation - Mudge, the creator of Cobalt Strike, is back! This non-technical post is about the importance of offensive security research and tooling, even if you don't like it. A more "raw" thread from Mudge is on bluesky.
• cradle - CRADLE is a collaborative platform for Cyber Threat Intelligence analysts. It streamlines threat investigations with integrated note-taking, automated data linking, interactive visualizations, and robust access control. Enhance your CTI workflow from analysis to reporting—all in one secure space.
• Snake_Apple - Articles and tools related to research in the Apple environment (mainly macOS).
• TheTick - The Tick is the next evolution in covert access control system implants for simulating adversary-in-the-middle attacks.
• scorpi - A Modern Hypervisor (for macOS).

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.