Jul 07 2025 Last Week in Security (LWiS) - 2025-07-07

News

• Content Independence Day: no AI crawl without compensation! - Cloudflare is blocking AI crawlers by default on sites it hosts/protects. Is this giving power back to publishers, or a move to become the marketplace for content and thus make a handsome middleman fee? Perhaps both. Of note, I learned that 402 Payment Required is a real HTTP status.
• Announcing Windows 11 Insider Preview Build 27891 (Canary Channel) - Powershell 2.0 is not long for this world on Windows 11. Update your powershell tooling if you still have any left over from 2015.
• State Secrets for Sale: More Leaks from the Chinese Hack-for-Hire Industry - After the i-Soon leaks in 2024, there was no doubt about how Chinese tech companies were working for the state, but these leaks add even more evidence.
• [PDF] Audit of the Federal Bureau of Investigation's Efforts to Mitigate the Effects of Ubiquitous Technical Surveillance - Ubiquitous surveillance is an issue for law enforcement too. Page 2 (pdf page 7) details how a Cartel in Mexico used phone data and the city's cameras to kill informants.
• [SRU] NEO_DISABLE_MITIGATIONS flag default should be true - In 2018 Meltdown and Spectre were the first speculative execution vulnerabilities that led to many mitigations. Unfortunately those mitigations led to real performance impacts. Now, Ubuntu is rethinking the tradeoff.

Techniques and Write-ups

• The Birth and Death of “LoopyTicket” – Our Story on CVE-2025-33073 - How curiosity leads to finding CVEs in plain sight. Also a bonus to see Ludus continue to help the security community.
• Kharon Agent: Demonstration of Advanced Post-Exploitation - Kharon is a fully Position-Independent Code (PIC) implant for Mythic with advanced evasion capabilities, dotnet/powershell/shellcode/bof memory executions, lateral movements, pivot and more.
• Extracting Sensitive Information from Azure Load Testing - Code execution and sensitive information extraction by injecting malicious code into JMeter JMX files or Python Locust files.
• Abusing Chrome Remote Desktop on Red Team Operations: A Practical Guide - Someone push a PR to LOLRMM! Surprised is not in here already. We brought this one up in 2022.
• Taking SHELLTER: a commercial evasion framework abused in- the- wild - A leaked SHELLTER payload ends up in the hands of Elastic, they do a full work up on it and now Shellter has released a statement on how they feel about it. Safe to say the upcoming Shellter release will have extra love for Elastic EDR?
• How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777) - A simple unauthenticated GET request leaks memory from an enterprise security gateway.
• RedirectionGuard: Mitigating unsafe junction traversal in Windows - Going after entire vulnerability classes is the most effective way to secure Windows. This requires developers to opt in however, so adoption will likely be slow outside of first party Microsoft code.
• Applocker Bypass on Lenovo Machines – the Curious Case of MFGSTAT.zip - Vendors are known to add "bloatware" to operating systems, but this zip file in the windows system directory that is writeable by all users is a strange one.
• When too much access is not enough: a story about Confluence and tokens - This is a great post showcasing the thought process of adversary simulation. The author surveys the access they have along with constraints of the environment, sets up a representative test network (using Ludus perhaps?), then explores different avenues with pros and cons, creating and testing tooling before actioning the target.
• MemorySnitcher and the power of NtReadVirtualMemory - Intentionally leak function addresses to use them later. "So… is this useful? I am not sure, but it was fun to write about it :)" See MemorySnitcher for the code.

Tools and Exploits

• LDAPWordlistHarvester - A tool that allows you to extract a client-specific wordlist from the LDAP of an Active Directory.
• TrollBlacklistDLL - Reads blacklist.txt and blocks dlls from loading with option to unblock subsequently. Patches LdrLoadDll in local/remote process to return dll not found.
• SigStrike - Cobalt Strike beacon parser and crawler.
• kingfisher - Kingfisher is a blazingly fast secret‑scanning and validation tool built in Rust.
• force-push-scanner - Scan for secrets in dangling commits on GitHub using GH Archive data.
• DreamWalkers - Reflective shellcode loader with advanced call stack spoofing and .NET support.
• PhantomInjector - Advanced In-Memory PowerShell Process Injection Framework.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• SockTail - Lightweight binary that joins a device to a Tailscale network and exposes a local SOCKS5 proxy. Designed for red team operations and ephemeral access into restricted environments using Tailscale’s embedded client (tsnet). Zero config, no daemon, no persistence - just a fast way in.
• terraform-azapi-nsgator - Terraform module for intelligent Azure Network Security Group (NSG) rule management.
• When Backups Open Backdoors: Accessing Sensitive Cloud Data via "Synology Active Backup for Microsoft 365" - If you're on Reddit, you might have noticed some users reporting that they Synology NAS was popped. Read more about CVE-2025-4679. here.
• ASRGEN - ASR Configurator, Essentials and Atomic Testing.
• gubble - gubble is a tool designed to audit Google Workspace group settings. It analyzes settings such as who can join, view membership, post messages, view conversations, and more to help identify potential security risks associated with group configurations.
• secrets-ninja - Secrets Ninja is an GUI tool for validating & investigating API keys discovered during pentesting & bug bounty hunting.
• LdrShuffle - Code execution/injection technique using DLL PEB module structure manipulation.
• godap - A complete terminal user interface (TUI) for LDAP.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.