Sep 15 2025 Last Week in Security (LWiS) - 2025-09-15

News

• Specter Bash 2025 – October 6–9, 2025 | Denver, CO is SpecterOps' annual training event with a Halloween twist. Over four days, participants take part in SpecterOps courses on Red Team Operations, Tradecraft Analysis, Identity-driven Offensive Tradecraft, and Detection, led by the team behind BloodHound. When classes wrap up, evening sessions and community gatherings keep the energy going and give plenty of opportunities to connect with one another. Can’t attend in person? They have virtual options too! Last Week in Security readers get an exclusive 25% discount with code LWIS. Get the full details and register here. Sponsored

• Memory Integrity Enforcement: A complete vision for memory safety in Apple devices - Apple was the first major player to use Pointer Authentication Codes (PAC) in 2018, which added complicated step to iOS exploitation. Now they catch up to Google with Memory Integrity Enforcement (MIE), which was available on the Pixel 8 in 2023 as a developer feature called Memory Tagging Extension (MTE). However, in classic Apple vs Google fashion, MTE is disabled by default on Android and opt-in by apps, while on iOS on iPhone 17/Air it's enabled by default. As these devices become the center of digital lives, their security becomes increasingly important.
• VaultGemma: The world's most capable differentially private LLM - "Informally speaking, because we provide protection at the sequence level, if information relating to any (potentially private) fact or inference occurs in a single sequence, then VaultGemma essentially does not know that fact: the response to any query will be statistically similar to the result from a model that never trained on the sequence in question. However, if many training sequences contain information relevant to a particular fact, then in general VaultGemma will be able to provide that information." Eventually companies/governments will want to train models on very sensitive data and this research is a first step to making that possible while preserving the privacy of the input data.
• How Pixel and Android are bringing a new level of trust to your images with C2PA Content Credentials - Photos taken on the new Google Pixel 10 will have unique, timestamped certificates to attest the source of the image was a physical camera. Forging these certificates is certain to become a new area for attacks.
• Prepare your VBA projects for VBScript deprecation in Windows - VBScript will be disabled by default in 2026 or 2027, and eventually be completely removed from Windows. The language everyone wrote their first Office macro payload in will soon be gone.
• Microsoft to force install the Microsoft 365 Copilot app in October - Microsoft was going to do this back in 2024, then backed down due to outcry, and now that enough time is passed, they are back at it!
• Geedge & MESA Leak: Analyzing the Great Firewall’s Largest Document Leak - The best look into the inner workings of the most advanced internet censorship machine in the world and shows it's being exported to other countries besides China. The Great Firewall developers are not only actively probing for obs4, snowflake, and other traffic obfuscation endpoints outside of China to block, but they also do advanced analytics to monitor "unknown" obfuscated traffic, develop fingerprints, and potentially ban users. If you are in China using a novel obfuscation technique, if the firewall can fingerprint it and determines it to violate policy, it can then deploy that fingerprint to find others using the same technique.
• Hummelgaard wants to open a backdoor to our phones – and won't say where the line is. - "We need to break with the completely erroneous perception that it is every man's right to freedom to communicate on encrypted messaging services," said Danish Minister of Justice and chief architect of the current Chat Control proposal, Peter Hummelgaard. I guess Peter believes Article 8 of the [PDF] European Convention on Human Rights, "Everyone has the right to respect for his private and family life, his home and his correspondence," can be violated by the government to preemptively search every message for potential crimes.

Techniques and Write-ups

• [X] Deleting WHFB keys is hard - Using the Microsoft Graph API to delete Windows Hello for Business (WHFB) keys first requests the current key list, removes the key you want to delete, then updates the list. The update is much slower than the other steps so if you delete many keys in succession quickly, the update requests end up adding back the removed keys. If you delete 15 keys rapidly, you probably end up with 14 keys. This feels like a dangerous footgun, and hopefully Microsoft fixes it.
• You Already Have Our Personal Data, Take Our Phone Calls Too (FreePBX CVE-2025-57819) - The popular voice over IP solution was targeted by a threat actor with an unauthenticated remote code execution 0day. Ironically they failed to clean up their cleanup script, which, in part, led to the discovery of their backdoor/exploit.
• COFFing out the Night Soil - You can now use Crystal Palace to assemble a capability with a .spec file! For more Crystal Palace content check out Crystal Palace API and Modular PIC C2 Agents (reprise).
• Weaponizing macOS auditd - The gap between a proof concept and weaponized technique can sometimes be huge. This post covers a low level investigation into a missing malloc zone and a solution.
• Dissecting DCOM Part 1 - Windows has a ton of services that communicate via COM/DCOM, so this part 1 article is a good place to start if you are unfamiliar with the Distributed Component Object Model.
• From Spotlight to Apple Intelligence: Abusing an 0day to steal the data that fuels macOS AI - iOS/macOS 26 were released today, and new features mean new bugs. However, this bug seems to be quite old, but Patrick found a way to exploit it by leaking data via notifications.
• Windows local privilege escalation through the bitpixie vulnerability - A good breakdown of pre-boot attacks on Windows. TPM + PIN is the way to go for protection.
• WSUS Is SUS: NTLM Relay Attacks in Plain Sight - Deprecated but still relay-able in many cases, even with HTTPS if you can get your hands on a trusted certificate.
• Eternal-Tux: Crafting a Linux Kernel KSMBD 0-Click RCE Exploit from N-Days - The holy grail of Linux exploitation, a 0-click, remote code execution as root. If you can reach the server message bus (SMB) port of a vulnerable Linux machine, you can get root. This is/was the EternalBlue of Linux (except SMB is on nearly every Windows machine, and on relatively few Linux machines).
• OPSEC: Read the Code Before It Burns Your Op - The open source community in security is amazing, but if you expect to pull tools off GitHub and use them without reviewing the code and testing in a sandbox like Ludus you're going to get burned... or worse.
• How an Attacker’s Blunder Gave Us a Rare Look Inside Their Day-to-Day Operations - Threat actor installs Huntress free trial on their dev machine, which gives Huntress access to browser history and much more. Remember, endpoint detection and response is just another name for remote access tools.

Tools and Exploits

• BloodHound OpenGraph Challenge - OpenGraph is live in BloodHound 8.0, and SpecterOps wants to see what you can do with it. Share your research, writeups, or talks for a chance at challenge coins, swag, and even SpecterOps training or a trip to SO-CON 2026. Submit your work here. Sponsored

• ldap_bofs - Random BOFs for LDAP tradecraft.
• badpie - Proof-of-concept Python package index/mirror proxy tool
• agneyastra - A Firebase Misconfiguration Detection Toolkit. See: Agneyastra to the Rescue: Protecting your Firebase Projects before the Tea spills out!.
• diffalayze - LLM-based automated patch diffing. See: Automated Patch Diff Analysis using LLMs.
• pyLDAPGui - Python based GUI for browsing LDAP. See: pyLDAPGui - How It was Born.
• KittyLoader - KittyLoader is a highly evasive loader written in C / Assembly.
• wgslirp - A high-performance, user-space WireGuard router that forwards decrypted IPv4 traffic via generic TCP/UDP/ICMP socket bridges (slirp-style), requiring zero kernel privileges or custom netstacks.
• WSASS - This is the tool to dump the LSASS process on modern Windows 11.
• MFTool - Direct access to NTFS volumes.
• COMouflage - COM-based DLL Surrogate Injection.
• WatchDogKiller - PoC exploit for the vulnerable WatchDog Anti-Malware driver (amsdk.sys) – weaponized to kill protected EDR/AV processes via BYOVD.
• lutlol - Living Under the Land on Linux ~ BSides Belfast 2025.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• DotnetNoVirtualProtectShellcodeLoader - load shellcode without P/D Invoke and VirtualProtect call.
• Full M18 diagnostics revealed - Milwaukee power tool batteries have a built in microcontroller that stores all kinds of data about their use. Now with a little soldering, you too can check on your battery health!
• finch - Fingerprint-aware TLS reverse proxy. Use Finch to outsmart bad traffic—collect client fingerprints (JA3, JA4 +QUIC, JA4H, HTTP/2) and act on them: block, reroute, tarpit, or deceive in real time.
• rustnet - A cross-platform network monitoring terminal UI tool built with Rust.
• Early Exception Handling - Missed this post in the post-DEF CON rush.
• Hosting a WebSite on a Disposable Vape - Pretty wild that microcontrollers are so cheap they are disposable.
• Typosquat Detective - Spot the sneaky fake domains! Learn common tricks while you play.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.