Apr 07 2025 Last Week in Security (LWiS) - 2025-04-07

News

• Open-sourcing OpenPubkey SSH (OPKSSH): integrating single sign-on with SSH - SSO enabled SSH is now as easy as two lines in your sshd configuration file. opkssh - opkssh (OpenPubkey SSH) is the open source tool compatible with Google, Microsoft/Azure, and Gitlab OpenID Providers
• Google announces Sec-Gemini v1, a new experimental cybersecurity model - The second cybersecurty focused model from a big company after Tred Micro's Cybertron dropped last month.
• A Sneaky Phish Just Grabbed my Mailchimp Mailing List - A good reminder that it can happen to anyone. Don't get complacent, and put in technical controls to prevent yourself from attacks (hardware multi-factor).
• Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations - More great research out of Citizen Lab. 0days for messaging apps exist and are being used to target a variety of targets.

Techniques and Write-ups

• GitHub Actions and the Pinning Problem: What 100 Security Projects Reveal - Github project dependencies and transitive dependencies are one of the highest risks to the internet right now. This research should serve as an eye opener of this issue. TLDR - Pin your github actions and minimize third-parties that do not.
• Social Engineering in Red Team Operations: Technical Setup and Tools - A technical overview on modern phishing infrastructure and considerations. Tactical knowledge of evasion techniques along the tools you can use are also provided. Good write up.
• IngressNightmare: CVE-2025-1974 - 9.8 Critical Unauthenticated Remote Code Execution Vulnerabilities in Ingress NGINX - A critical unauthenticated remote code execution vulnerabilities in Ingress NGINX Controller for Kubernetes that affect approximately 43% of cloud environments.
• MCP: An Introduction to Agentic Op Support - A good introduction to what a lot of infosec is talking about these days: how to implement AI agents that leverage Large Language Models (LLMs) alongside common tools to autonomously achieve goals (offensive and defensive)
• Bypassing SmartScreen (Domain-Wide) using DNS Sinkholing - While not a commonly acceptable configuration change in client environments during pentests/red teams, this post warrants discussion regarding how adversaries might impair the defensive capabilities of your environment once they gain privileges to do so. How can we emulate/simulation this at scale? What happens when an attacker escalates privileges in your network and deploys an applocker policy to kill your EDR processes?
• CimFS: Crashing in memory, Finding SYSTEM (Kernel Edition) - The bugs are over a year old, but the techniques are timeless.
• An Operator’s Guide to Device-Joined Hosts and the PRT Cookie - How an operator can perform reconnaissance prior to making an Entra ID token request and how tokens can be used once they are obtained.
• CCleaner Local Privilege Escalation Vulnerability on macOS - Weak protections on inter-process communication lead to privilege escalation in an old version of CCleaner.
• XSS To RCE By Abusing Custom File Handlers - Kentico Xperience CMS (CVE-2025-2748) - Always fun to see cross site scripting (XSS) converted to full on remote code execution (RCE).
• Emulating an iPhone in QEMU - A journey to build your own Corellium.

Tools and Exploits

• Loki - 🧙‍♂️ Node JS C2 for backdooring vulnerable Electron applications.
• GhidraMCP - MCP Server for Ghidra.
• BloodHound-MCP-AI - BloodHound-MCP-AI is integration that connects BloodHound with AI through Model Context Protocol, allowing security professionals to analyze Active Directory attack paths using natural language instead of complex Cypher queries.
• roadrecon_mcp_server - Claude MCP server to perform analysis on ROADrecon data.
• sharefiltrator - Tool for enumeration & bulk download of sensitive files found in SharePoint environments.
• PatchGuardEncryptorDriver - An improved version of Patch Guard that I implemented, that includes integrity checks and other protection mechanisms I added.
• blackcat - BlackCat is a PowerShell module designed to validate the security of Microsoft Azure. It provides a set of functions to identify potential security holes.
• AzureFunctionRedirector - Code and tutorial on using Azure Functions as your redirector. Careful, Microsoft has been known to close subscriptions if they detect nefarious use.
• Inline-EA - Cobalt Strike BOF for evasive .NET assembly execution.
• FrogPost - postMessage Security Testing Tool.
• NativeNtdllRemap - Remap ntdll.dll using only NTAPI functions with a suspended process.
• NativeTokenImpersonate - Impersonate Tokens using only NTAPI functions.
• KeyJumper - This project demonstrates arbitrary kernel code execution on a Windows 11 system with kCET enabled, to create a keylogging tool by mapping kernel memory to userland. You can find a blogpost about it here for more information.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• DCSyncHound - This script analyzes the DCSync output file from several tools (such as Mimikatz, Secretsdump and SharpKatz).
• RedTeamGrimoire - 🔥📜 Forbidden collection of Red Team sorcery 📜🔥.
• Internal_Pentest - Scripts that automate portions of pentests.
• SingleFile - Web Extension for saving a faithful copy of a complete web page in a single HTML file.
• GitHub Actions Dependency Scanner - Python script that recursively scans a GitHub repository’s workflows to uncover unpinned or unpinnable dependencies in your GitHub Actions usage.
• Getting the Most Value Out of the OSCP: The PEN-200 Labs - So cool to see a whole section on Ludus in this post!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.