Jul 21 2025 Last Week in Security (LWiS) - 2025-07-21

News

• A Little-Known Microsoft Program Could Expose the Defense Department to Chinese Hackers - "Digital escorts," with limited technical knowledge were supposed to oversee any work done on the Microsoft Cloud by engineers in China. “We’re trusting that what they’re doing isn’t malicious, but we really can’t tell.” 🫣 Microsoft's chief communications officer has said changes have been mande and now, "no China-based engineering teams are providing technical assistance for DoD Government cloud and related services." How much code developed in China is used in the base Microsoft Cloud product, which is eventually used in the DoD Microsoft cloud? I doubt the "digital escorts" could have spotted any half-decent backdoors, when things like The Underhanded C Contest exist.
• Cloudflare 1.1.1.1 incident on July 14, 2025 - "It's always DNS" is the sysadmin's mantra. This time it was anycast and Cloudflare's Data Localization Suite (DLS), combined with human error and insufficient technical controls that led to a global DNS outage for 1.1.1.1 users for about an hour.
• All good things come to an end: Shutting down Clear Linux OS - Intel is attempting to stop the bleeding by cutting thousands of jobs, and stopping support for Clear Linux. The lead maintainer of Clear Linux, Arjan van de Ven is still a Fellow at Intel.
• Microsoft Fix Targets Attacks on SharePoint Zero-Day - After a few days of rampant exploitation, Microsoft has a fix for an unauthenticated remote code execution 0day in SharePoint, called "ToolShell," the legacy but popular content platform used by enterprises and governments around the world. Both of the exploits used in ToolShell may be patch bypasses for previous vulnerabilities, which makes this even more 🤦. The guidance to disconnect affected products from the public-facing Internet is difficult for a system designed to host public content. You know it's serious when Microsoft puts out customer guidance in addition to the normal knowledge base entry.
• ICEBlock isn’t ‘completely anonymous’ - But no app is. - An interesting outcome of having Apple or Google run all push notifications for iOS and Android is that it's now impossible to make an app completely anonymous if you want to send users a push notification. I think the only way to achieve anonymous push notifications would be to "launder" them via another app like the amazing, open source, self-hostable ntfy.

Techniques and Write-ups

• Kuba Gretzky: Wise Phishermen Never Trust The Weather - The Evilginx author discussed what it takes to have a successful phishing campaign in 2025.
• My 'Blind Date' with CVE-2025-29824 - The author creates a proof of concept (crash) using a use-after-free bug in the Windows Common Log File System (CLFS) driver for Windows.
• CVE-2025-6759: Local Privilege Escalation in Citrix Virtual Apps and Desktops - Virtual Private Network (VPN) or Virtual Desktop apps usually have some kind of SYSTEM level service to facilitate low level networking, and historically have been a great place to look for local privilege escalation bugs on Windows
• Modular PIC C2 Agents - The future is modular. From putting together custom labs using modular roles in Ludus, to building command and control (C2) agents with modular position independent code elements, the flexibility, customizability, and reusability of modular solutions outweigh their small configuration setup barrier.
• Async BOFs – “Wake Me Up, Before You Go Go” - Outflank C2 includes some new Beacon APIs to allow for threads to run while the main beacon sleeps and wake it when a user logs in or a process is started.
• ControlPlane Local Privilege Escalation Vulnerability on macOS - A detailed walkthrough of a macOS local privilege escalation via a privileged helper. While the target application is unmaintained, this technique is applicable to many applications with privileged helpers.
• I’d Like to Speak to Your Manager: Stealing Secrets with Management Point Relays - SCCM is the gift that keeps on giving. Using some stored procedures and relaying NTLM to MSSQL, its possible to get the policy secrets for unknown machines. In practice, these are domain credentials that are (usually) overprovisioned. I love seeing the Ludus domain all over this article. More research that was made possible by an assessor being able to easily set up a complex test environment and get straight to the fun stuff!

Tools and Exploits

• stargate - Locate dlls and function addresses without PEB Walk and EAT parsing.
• mprecon - a small script to collect information from a management point.
• BloodfangC2 - Modern PIC implant for Windows (64 & 32 bit).
• ludus_redirector - Role for setting up Redirectors in Ludus ranges.
• ludus_sliver - Role for setting up Sliver C2 in Ludus ranges.
• Ebyte-Go-Morpher is a Go program that parses, analyzes, and rewrites Go source code to apply multiple layers of obfuscation. It operates directly on the Go Abstract Syntax Tree (AST) and generates both obfuscated source files and runtime decryption logic.
• CVE-2025-53770-Exploit - SharePoint WebPart Injection Exploit Tool. [Untested, use at your own risk]
• RAITrigger - Local SYSTEM auth trigger for relaying.
• remoteKrbRelayx - A tool for coercing and relaying Kerberos authentication over DCOM and RPC.
• CVE-2025-4660 - PoC for CVE-2025-4660 demonstrating exploitation of the Forescout SecureConnector on Windows. More info here.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• unicorn_pe - Unicorn PE is an unicorn based instrumentation project designed to emulate code execution for windows PE files.
• LoaderGate - a C# implementation for a shellcode loader that capable to bypass Cortex XDR and Sophos EDR.
• evilreplay - Seamless remote browser session control.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.