Last Week in Security (LWiS) - 2025-06-02
Stealth syscalls (@darkrelaylabs), VM introspection (@memn0ps), Marebackup LPE (@itm4n), Azure Arc C2 (@ZephrFish), Obfusk8 (@x86byte), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2025-05-27 to 2025-06-02.
News
- Sustaining Digital Certificate Security - Upcoming Changes to the Chrome Root Store - "Chrome's confidence in the reliability of Chunghwa Telecom and Netlock as CA (certificate authority) Owners included in the Chrome Root Store has diminished due to patterns of concerning behavior observed over the past year." On 2025-08-01, Chrome will no longer trust certificates issued by Chunghwa Telecom and Netlock. There are still 109 unique CA's in the Chrome Root Store.
- Australian ransomware victims now must tell the government if they pay up - This only applies to the top 6.5% of businesses in Australia, and is only reported to the Australian Signals Directorate (ASD). While it resembles the rules for public companies in the United States, this looks more like ASD wants to know if a large ransomware campaign is hitting Australia before they read about it all over the news.
- [PDF] CHOICEJACKING: Compromising Mobile Devices through Malicious Chargers like a Decade ago - Your phone now asks you to trust an unknown device when connected, but what if that unknown device was itself also a keyboard and clicked accept for you? Works on Android and iOS devices in anywhere from 1.3 to 23 seconds. 10/10 hack.
Techniques and Write-ups
- Stealth Syscall Execution: Bypassing ETW, Sysmon, and EDR Detection - Some good ideas for your next loader.
- Hypervisors for Memory Introspection and Reverse Engineering - This post serves as a great introduction to using hypervisor "shims" to inspect and manipulate Windows "guests." Plus it uses the term "hyperjacking" (using your hypervsior shim to inject/highjack the operating system's own hypervisor to disable protections) which is pretty awesome.
- Blasting Past iOS 18 - This, and the fact that you can target a huge population thanks to relatively homogenous hardware, is why an iOS 0day costs millions of dollars.
- Gone in 5 Seconds: How WARN_ON Stole 10 Minutes - If you prefer Android exploitation, this write up on CVE-2023-6241 is great.
- The Windows Registry Adventure #8: Practical exploitation of hive memory corruption - I didn't know the windows registry hive used a custom memory allocator. The Windows registry is critical to Windows security, and exploiting it leads to SYSTEM more often than not.
- Hijacking the Windows "MareBackup" Scheduled Task for Privilege Escalation - Windows search order makes a single vulnerable entry in the system's PATH an exploitable condition. In this case, a default schedule task can be started by any user on the system to run an arbitrary exe (renamed to powershell.exe).
- CVE-2025-23009 & CVE-2025-23010: Elevating Privileges with SonicWall NetExtender - Another Windows local privilege escalation (LPE), this time vai the third party SonicWall NetExtender client.
- LOLCLOUD - Azure Arc - C2aaS - Use Azure as your command and control, including connecting to remote shell instances from the Azure portal! Notice the signature Ludus red desktop background in the endpoint folder creation screenshot. 😊
- Wireless Pivots: How Trusted Networks Become Invisible Threat Vectors - The power of probe requests to known less-secure networks is shown here. Sure, your corporate WiFi is EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) with your own public-key infrastructure for end-to-end trust, but your employees connect to their home WiFi which isn't (it's WPA2 personal), and when they come back to work, an attacker can use those probe requests to set up a rouge access point, convince the device to join their "home" network and capture hashes.
- Revisiting COM Hijacking - An old favorite persistence method for Windows. And another Ludus desktop in the PoC video. 😊
Tools and Exploits
- boflink - Linker for Beacon Object Files.
- godump - A minimal, developer-friendly pretty-printer and debug dumper for Go structs, inspired by Laravel’s dump() and Symfony’s VarDumper.
- Obfusk8 - Obfusk8: Obfuscation library based on C++17 for windows binaries.
- termitty - The terminal automation framework.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- The Human Element: Why AI-Generated Content Is Killing Authenticity - A reminder that Last Week in Security is 100% curated and written by humans.
- KoviD - Red-Team Linux kernel rootkit.
- Undetectag - "This printed circuit disc turns off your AirTag for 4 hours, and then turn it on again for 1 hour, reducing the chance that the thief is able to locate it."
- Deep Dive: BadSuccessor – Full Active Directory Compromise - Step by step walkthrough of last week's BadSuccessor attack, two ways plus some detection guidance.
- microsandbox - Self-Hosted Platform for Secure Execution of Untrusted User/AI Code.
- ldapx - Flexible LDAP proxy that can be used to inspect & transform all LDAP packets generated by other tools on the fly. [You should watch DEF CON 32 - MaLDAPtive to understand the coolness of this tool.]
- MalDev Myths - "Since years i see techniques used in MalDev which are obsolete since a long time, or just applied wrongly."
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.