Last Week in Security (LWiS) - 2025-04-14
WinRMS relay (@Defte_), plaintext Zip attacks (@pfiatde), SQL Server Crypto deep dive (@_xpn_), FindUnusualSessions (@podalirius_), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2025-04-07 to 2025-04-14.
News
- SSL/TLS certificate lifespans reduced to 47 days by 2029 - The CA/Browser Forum agreed unanimously to reduce certificate lifespans aggressively. Currently Domain Control Validation (DCV) certificates lifespan is 398 days.
- VMware ESXi 8.0U3e Now Has a Free Version How to Get It - ESXi used to have a free version, then Broadcom bought VMware and well, everything kind of fell apart. Looks like a free ESXi is back (no API or cluster support). For a better and more automated experience, try the free and open source Ludus built on KVM/QEMU/Proxmox.
- China-based SMS Phishing Triad Pivots to Banks - Phishing crews are using mobile OS's built in wallet features to convince victims to send them bank verification codes to add their cards to the scammer's mobile wallet, where they can then spend money from the cards until they are shut down.
Techniques and Write-ups
- Is TLS more secure, the WinRMS case. - "WinRM is protected against NTLMRrelay as communications are encrypted. However WinRMS (the one communicating over HTTPS) is not." 🤯
- Unsafe at Any Speed: Abusing Python Exec for Unauth RCE in Langflow AI - I wonder if this unauthenticated endpoint was "vibe coded" by AI?
- GitHub Copilot Custom Instructions and Risks - More AI risks, the old trick of unicode zero width characters is back to instruct AI to add backdoors or "telemetry" to projects silently. More at Pillar Security.
- Practical Known Plaintext Attack Against ZIP Files - After nearly a year, PfiatDe is back! The fact that zip file names and sizes are by default not encrypted is what allows this to work.
- The SQL Server Crypto Detour - A great journey into the depths of MSSQL encryption. Remember: "Always lab your target product before spending so much time in a disassembler." We couldn't agree more.
- Decrypting PDQ credentials - More encryption/decryption fun from the Specter Ops crew with a tool release and bof.
- Kubernetes for Pentesters: Part 1 - A basic first introduction to Kubernetes (k8s).
Tools and Exploits
- InlineWhispers3 - Tool for working with Indirect System Calls in Cobalt Strike's Beacon Object Files (BOF) using SysWhispers3 for EDR evasion.
- thread-call-stack-scanner - Safely manage the unloading of DLLs that have been hooked into a process. Context.
- ElfDoor-gcc is an LD_PRELOAD that hijacks gcc to inject malicious code into binaries during linking, without touching the source code.
- go-internalmonologue - Get NetNTLMv2 in Go.
- FindUnusualSessions - A tool to remotely detect unusual sessions opened on windows machines using RPC.
- RemoteMonologue - Weaponizing DCOM for NTLM Authentication Coercions. See: RemoteMonologue: Weaponizing DCOM for NTLM authentication coercions.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- shadow-rs - Windows Kernel Rootkit in Rust.
- eepy - sleep obfuscation via rop.
- WriteProcessMemoryAPC - Nim reimplementation of WriteProcessMemoryAPC.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.