Last Week in Security (LWiS) - 2025-04-28
TTTracer unmasks sleep obfs (@felixm_pw), GitHub spoofing (@pfiatde), Synology RCE (@ret2systems), netify scraper (@Jhaddix), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2025-04-21 to 2025-04-28.
News
- A New Kali Linux Archive Signing Key - "Bad news for Kali Linux users! In the coming day(s), apt update is going to fail for pretty much everyone out there... We lost access to the signing key of the repository, so we had to create a new one." Many professionals use this operating system with elevated privileges in customer networks. Update your signing key, or use the new 2025.1c installer.
- That one time I got charged with a criminal offense on behalf of a Windscribe user - Windscribe VPN defends it's "no logs" claim in court. Mullvad has done this before in 2023, as has Signal.
- Android phones will soon reboot themselves after sitting unused for 3 days - iOS was the first major mobile OS to do it, now Android follows suit.
- MFA for machines Sponsored - Aembit, the non-human identity and access management company, is announcing the launch of its Identity Federation Hub at RSAC. Designed for DevOps and security teams, this new capability eliminates the operational and security risks of long-lived secrets by enabling seamless workload identity federation across clouds and services – without forcing developers to write custom auth logic. Learn more about Aembit.
Techniques and Write-ups
- Phishing despite FIDO, leveraging a novel technique based on the Device Code Flow - Phishing resistant multifactor authentication (i.e. hardware tokens) can be bypassed if Device Code Flow is enabled in Azure Entra, even if the hardware token is the only "allowed" authentication method. This novel extension of the technique uses a shadow browser and instantly redirects the victim to legitimate site (login.microsoft.com). The demo is pretty wild. PoC is DeviceCodePhishing. squarephish2 is another Entra device code phishing tool released last week focused on QR codes.
- Rude Awakening: Unmasking Sleep Obfuscation With TTTracer - "Traditional memory dumps are ineffective against implants leveraging sleep obfuscation since you'll most likely be dumping junk data. However, since tttracer.exe is taking a capture of a full execution, if we capture for long enough the decrypted implant should be recorded." However, you need to be suspicious of a process before you can use this technique, so its more of an incident response task than something you can find "unknown bad" with. However, tttracer.exe is preinstalled on Windows, which is nice.
- Fatal Vulnerabilities Compromising DJI Control Devices - Five vulnerabilities combine for a total takedown of DJI's RC Plus controller.
- Having fun with Github - A few different techniques to spoof Github commits, but the most fun is using issues to send emails from Github with your content - ripe for a nice targeted phishing campaign.
- Fuzzing Windows ARM64 closed-source binary - Window is slowly moving to ARM, and the tooling is following right along. windows-arm64-qbdi-fuzzing is the repo that goes with the post.
- libAppleArchive: Arbitrary File Write - A Gatekeeper bypass for macOS, so long as you know the target's $TMPDIR. CVE-2024-27876 is the proof of concept.
- From NTLM relay to Kerberos relay: Everything you need to know - As NTLM is slowly phased out, Kerberos will become the standard authentication method in Windows networks. While Kerberos by itself does not prevent relay attacks (signing and channel binding do that), it does make relaying a bit more complicated. This post does a good job explaining how Kerberos relaying works.
- Beacon Object Files vs Tiny EXE Files - While Beacon Object Files (BOFs) have become the standard unit of "technique execution" among red teams, what if tiny EXEs were introduced instead of BOFs. Debugging would be a lot easier, that's for sure.
- Exploiting the Synology DiskStation with Null-byte Writes - RET2 Systems write ups are always worth the read. This time they use a null byte write to get root on a Synology DS1823xs+ NAS.
- Fire In The Hole, We’re Breaching The Vault - Commvault Remote Code Execution (CVE-2025-34028) - At this point, if I was a company and saw watchTowr in my web logs downloading my product, I don't think I would sleep very well at night. Another "hmm what is this" to remote code execution journey - memes included. watchTowr-vs-Commvault-PreAuth-RCE-CVE-2025-34028 is the PoC.
- .NET GAC and NIC hijacking for lateral movement - This is one of the coolest lateral movement techniques I've read about in a long time. The ability to decouple the upload from the execution will make this very tricky to detect.
- Common Tool Errors - Kerberos - A good post to keep handy when doing anything Kerberos related.
Tools and Exploits
- damn-vulnerable-MCP-server - Damn Vulnerable MCP Server.
- DeviceCodePhishing - This is a novel technique that leverages the well-known Device Code phishing approach. It dynamically initiates the flow when the victim opens the phishing link and instantly redirects them to the authentication page. Capable of bypassing FIDO, even if FIDO is the only authentication method available to the victim.
- squarephish2 is an advanced phishing tool that uses a technique combining the OAuth Device Code authentication flow and QR codes.
- Ghosting-AMSI - AMSI Bypass via RPC Hijack (NdrClientCall3) This technique exploits the COM-level mechanics AMSI uses when delegating scan requests to antivirus (AV) providers through RPC.
- Getting Shells at Terminal Velocity with Wopper - Automate the use of malicious plugins to get shells on Wordpress with Wopper. wopper is the GitHub.
- PrimeEncryptor - PrimeEncryptor is a flexible Dynamic Shellcode Encryptor designed to generate encrypted shellcode using multiple encryption techniques.
- Scopify - Scopify is a Python command-line tool designed for penetration testers and bug bounty hunters to quickly gather and analyze infrastructure information (CDN, Hosting, SaaS) for a target company by scraping netify.ai. Developed by @Jhaddix and Arcanum Information Security.
- logon_monitor - A BOF to regularly check for active users on a target.
- Chronos - Time-Based Detection and Response for Safety-Critical Real-Time Embedded Systems - EDR Kernel Extension for FreeRTOS.
- paradox - macos stealer poc.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- malice-network - Next Generation C2 Framework.
- rem-community - proxy/tunnel everything for red team!.
- powerview.py - Just another Powerview alternative but on steroids.
- pad.ws - Whiteboard as an IDE, draw and code in your browser.
- KMDllInjector - kernel-mode DLL Injector.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.