Jul 28 2025 Last Week in Security (LWiS) - 2025-07-28

News

• Security Update for Amazon Q Developer Extension for Visual Studio Code (Version #1.84) - The Amazon Q extension for Visual Studio Code was hacked, sorry, had a "potentially unapproved code modification" that attempted to use a large langue model prompt to run a kind of AI-generated wiper. While Amazon said no end users were affected, it did attempt to run on at least one end users machine.
• GitHub Spark - Are "micro apps" coded with natural language and AI going to be the next big "app?" Google has an "experiment" called Opal that is very similar. It's also interesting that both Google's Opal announcement and Amazon's Kiro introduction blog post both pushed Discord as the place to get help and provide feedback. To me, this shows these tools are aimed at a younger audience.
• What are the new UK online safety rules and how will age checks on adult content be enforced? - The UK is now enforcing age verification with the familiar cry of "protect the children." Pressure against this may work, as the UK wants to weasel out of demand for Apple encryption back door following backlash. The "online safety rules" will impact large platforms like Facebook, TikTok, and even Wikipedia. It's not like having every site implement its own age verification system could lead to serious privacy breaches...
• Dating safety app Tea breached, exposing 72,000 user images - An app that required users to verify their identity left their Firebase database publicly exposed. Calling this a "hack" or "breach" is a bit of an exaggeration as it's more like putting all the data in a pile in the woods hoping no one would find it; no security, just a location they thought would be hard to find.
• VMware prevents some perpetual license holders from downloading patches - Broadcom continues to trash the VMware brand, focused on only the largest customers, to the determent of all others.
• WhoFi: Deep Person Re-Identification via Wi-Fi Channel Signal Encoding - You can now track individuals via Wi-Fi signal reflections from human bodies which create unique biometric signatures. Spooky! 👻

Techniques and Write-ups

• Escaping the Confines of Port 445 - Using Service Control Manager (SCM) to start Webclient service can provide operators with some lateral movement techniques. Don't forget to keep this in your opnotes as you're introducing a configuration change into the clients environment.
• The Guest Who Could: Exploiting LPE in VMWare Tools - The use of predictable pipe names and the lack of FILE_FLAG_FIRST_PIPE_INSTANCE which will fail if the pipe already exists means an attacker can create the vmware tools pipe with their own permission set before the SYSTEM level service. This eventually leads to local privilege escalation via arbitrary file write.
• Debugging the Tradecraft Garden - Rasta Mouse continues his exploration of the Tradecraft Garden, this time making it a little easier to write and debug on Windows.
• Make Sure to Use SOAP(y) – An Operators Guide to Stealthy AD Collection Using ADWS - Microsoft introduced Active Directory Web Services (ADWS) is a web interface enabled by default on domain controllers. SoaPy - can be used to interact with and dump ADWS from a Linux host. This post has another Ludus domain spotted in the wild! 😊
• Stack Overflows, Heap Overflows, and Existential Dread (SonicWall SMA100 CVE-2025-40596, CVE-2025-40597 and CVE-2025-40598) - "It’s 2025, and at this point, we’re convinced there’s a secret industry-wide pledge: every network appliance must include at least one trivially avoidable HTTP header parsing bug - preferably pre-auth. Bonus points if it involves sscanf."

Tools and Exploits

• LudusMCP - Model Context Protocol server for managing Ludus lab environments through natural language commands.
• penguin - PENGUIN (Personalized EmulatioN Generated Using Instrumented Analysis) takes a target centric approach to rehosting using a precise and tailored specification of the rehosting process. [The description is underselling this tool, you can take arbitrary embedded firmware and get it up and running in an emulator with two commands.]
• [X] Any domain user can BSOD a 2025 Domain Controller - "This does not meet Microsoft's bar for immediate servicing." 🫠
• AdaptixC2 v0.7 - My current favorite open-source C2 got a new release, and v0.7 brings a scripting language to allow programatic control of the C2!
• Mistwalker - Create Entra Global Admin accounts from On-Prem.
• RAIWhateverTrigger - Local SYSTEM auth trigger for relaying - X.
• wambam-bof - A Cobalt Strike BOF that extracts access tokens from .tbres files. This BOF locates DPAPI-encrypted blobs stored in .tbres files, decrypts them in the current user context using CryptUnprotectData, and extracts the access token. This BOF is opsec safe and could be used as an alternate to office_tokens BOF.
• ratnet-rs - Rust port of RatNet, an anonymity network designed for mesh routing and embedded scenarios.
• Crystal-Loaders - A small collection of Crystal Palace PIC loaders designed for use with Cobalt Strike.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• sinister-vsix - Blog/Journal on how to backdoor VSCode extensions.
• DarkLnk - Build sneaky & malicious LNK files.
• hyprnote - Local-first AI Notepad for Private Meetings.
• canine - Power of Kubernetes, Simplicity of Heroku.
• copyparty - Portable file server with accelerated resumable uploads, dedup, WebDAV, FTP, TFTP, zeroconf, media indexer, thumbnails++ all in one file, no deps.
• s3grep - CLI tool for searching logs and unstructured content in Amazon S3 buckets.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.