Sep 02 2025 Last Week in Security (LWiS) - 2025-09-02

News

• Widespread Data Theft Targets Salesforce Instances via Salesloft Drift - The third party Salesloft chatbot "Drfit" had their OAuth tokens used to compromise all (?) Salesloft customer's Salesforce accounts. Cloudflare has a detailed write up of their investigation.
• Hackers Issue Ultimatum to Google After Data Breach Warning - Being called out by name to be fired by a threat actor has to be a crowning achievement of a threat intel specialist right?
• A new layer of security for certified Android devices - Android does away with sideloading, requiring all apps to be from "verified developers." Android becomes a walled garden, much like iOS? "You either die a hero, or you live long enough to see yourself become the villain."
• The $69 Billion Domino Effect: How VMware’s Debt-Fueled Acquisition Is Killing Open Source, One Repository at a Time - Bitnami had 18 years of providing a trustworthy free service profitably, but like all things acquired by Broadcom, it now must be squeezed for every last cent.

Techniques and Write-ups

• Dough No! Revisiting Cookie Theft - Chromium based browsers have moved to protect cookies using Window's Data Protection API (DPAPI) and more recently Application Bound encryption primitives. That's just another hurdle for attackers, as is exposed in this post. With more and more data moving to Software as a Service (SaaS) applications, browser cookie compromise is becoming a bigger target. The use of our free and open source Ludus to setup a safe environment to test browser extensions is the always great to see. 😊
• When Azure Dynamic Groups Meet Weak ACLs - Entra ID's "dynamic groups" can enable some interesting attack paths. GenericWrite over a user on-prem can allow an attacker to add them to a department that gets Azure permissions based on a dynamic group filter. Look for attributed based rules in Entra ID on your next hybrid assessment.
• DLL Sideloading for Initial Access – Red Team Operator's Guide - A new tool and some guidance for picking DLLs to sideload for initial access.
• Kernel-hack-drill and a new approach to exploiting CVE-2024-50264 in the Linux kernel - A very technical post on the 2025 Pwnie Award for the Best Privilege Escalation, a Use-After-Free in the Linux kernel.
• AgentHopper: An AI Virus - New tools, same problems. The next generation needs to read Ken Thompson's classic [PDF] Reflections on Trusting Trust.
• Advisory - Netskope Client for Windows - Local Privilege Escalation via Rogue Server (CVE-2025-0309) - "In Netskope Windows client versions prior to R129, It was possible to escalate privileges by forcing the client into enrolling into a rogue Netskope server. This could be abused by a low-privileged, local user in order to escalate their privileges on the client host to that of the stAgentSvc service, which runs with SYSTEM privileges."
• Cache Me If You Can (Sitecore Experience Platform Cache Poisoning to RCE) - Move over Adobe Experience Manager (AEM), another enterprise content management system has some remote code execution vulnerabilities!
• The One Where We Just Steal The Vulnerabilities (CrushFTP CVE-2025-54309) - The CrushFTP is slightly older news, but the mention of a, "universal in-memory kernel backdoor that we can inject into virtualized appliances, allowing us to universally jailbreak appliances and deploy EDR-tier capabilities onto the device itself to capture network, disk, and memory artifacts when exploitation occurs" is very interesting.
• All You Need Is MCP - LLMs Solving a DEF CON CTF Finals Challenge - An MCP server hooked up to IDA Pro solves and then patches a DEF CON CTF challenge with minimal prompting.

Tools and Exploits

• ADSyncDump-BOF - The ADSyncDump BOF is a port of Dirk-Jan Mollema's adconnectdump.py / ADSyncDecrypt into a Beacon Object File (BOF) with zero dependencies.
• thermoptic - A next-generation HTTP stealth proxy which perfectly cloaks requests as the Chrome browser across all layers of the stack.
• DllShimmer - Weaponize DLL hijacking easily. Backdoor any function in any DLL.
• UpSkope - Custom IPC Client and Proof of Concept exploit for CVE-2025-0309 (Netskope Windows Client LPE).
• NTSleuth - Comprehensive Windows Syscall Extraction & Analysis Framework.
• BYOVD-DriverKiller - Driver Reversing & Exploitation.
• VMDragonSlayer - Automated multi-engine framework for unpacking, analyzing, and devirtualizing binaries protected by commercial and custom Virtual Machine based protectors. Combines Dynamic Taint Tracking, Symbolic Execution, Pattern & Semantic Classification, and Machine Learning–driven prioritization to dramatically reduce manual reverse engineering time.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• SAMLSmith is a C# tool for generating custom SAML responses and implementing Silver SAML and Golden SAML attacks. It provides comprehensive functionality for security researchers and penetration testers working with SAML-based authentication systems.
• You no longer need JavaScript - I agree. LWiS uses no JavaScript except for the search bar.
• 300k+ Plex Media Server instances still vulnerable to attack via CVE-2025-34158 - The popular media streaming software was the initial access vector for the LastPass Hack. Update!
• pipe-intercept - Intercept Windows Named Pipes communication using Burp or similar HTTP proxy tools.
• omarchy - Opinionated Arch/Hyprland Setup.
• OptixGate - Open-source multi-purpose remote access tool for Microsoft Windows.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.