Oct 27 2025 Last Week in Security (LWiS) - 2025-10-27

News

• Ex-L3Harris executive accused of selling trade secrets to Russia - $1.3 million USD in 3 years for selling trade secrets to Russia seems like a bad return on the risk. The executive was the former general manager of the company L3Harris formed after buying Azimuth Security, the company famous for "assisting" the FBI in gaining access to an iPhone in the San Bernardino case.
• WSUS attacks hit 'multiple' orgs as Google and other infosec sleuths ring Redmond’s alarm bell - Normally vulnerabilities don't make the news section, but this one seems pretty bad.
• The WhatsApp $1 Million Hack Mystery — What You Need To Know - When zero days are this valuable, will governments let the researchers disclose them on their own terms? Or is this a case of over-hyped "low-risk bugs?"
• A Solution to the CIA’s Kryptos Code Is Found after 35 Years - It wasn't decrypted, but found in an archive at the Smithsonian. There's a relevant cybersecurity lesson to be learned here: Sometimes the solution/vulnerability is more easily found in a way the creator/maintainer/sysadmin didn't expect and/or involved a otherwise irrelevant 3rd party.
• K000154696: F5 Security Incident - "A highly sophisticated nation-state threat actor maintained long-term, persistent access to, and downloaded files from, certain F5 systems." Looks like the nation-state threat actor stole, "source code and information about undisclosed vulnerabilities." Not great to find out that a nation-state has been chilling in the network of your firewall provider. F5 says there is no evidence of modification to the software supply chain, but they also didn't have evidence of a long-term breach until August 2025 so...

Techniques and Write-ups

• Tradecraft Garden’s PIC Parterre - Mudge dropping big updates to the Tradecraft Garden, this time adding multiple dynamic function resolution targets, global variables via a .bss section shoved into slack space, and a remap option that allows easy code reuse depending on the binary target.
• COM-to-the-Darkside - Slides and resources from MCTTP 2025 Talk.
• Breaking Into GitLab: Attacking and Defending Self-Hosted CI/CD Environments - A Gitlab runner in EC2 with a role that grants permissions to the AWS Systems Manager allows Gitlab to Cloud pivoting.
• Function Peekaboo: Crafting self masking functions using LLVM - "In this post, we will customize the LLVM compiler infrastructure to build a solution that enables self-masking capabilities for ordinary user-defined functions in a C++ source file. Self-masking means that a function remains in a masked (obfuscated or encrypted) state until it is invoked. Once execution enters the function, it is temporarily unmasked, and upon returning, it reverts back to its masked state." Code here: functionpeekaboo.
• O(N) the Money: Scaling Vulnerability Research with LLMs - A refreshing take on how LLMs can be used to scale vulnerability research with some open source tool releases.
• Windows ARM64 Internals: Exception & Privilege Model, Virtual Memory Management, and Windows under Virtualization Host Extensions (VHE) - Connor is back to drop more windows ARM64 internals knowledge.
• Look At This Photograph - Passively Downloading Malware Payloads Via Image Caching - Using the browser cache to download malware payloads that a separate payload can parse and execute is pretty clever.
• Is Kerberoasting Still a Risk When AES-256 Kerberos Encryption Is Enabled? - TLDR: Yes. Humans are awful at picking passwords.
• Paint it Blue: Attacking the Bluetooth stack - Getting a working, unauthenticated, remote code execution exploit against two separate Android devices is impressive, even if the vulnerability was from 2023. This is the kind of spooky exploitation that truly advanced adversaries are capable of.
• Privescing a Laptop with BitLocker + PIN - A Bitlocker + TPM + PIN (or better yet passphrase) is a good protection against physical attacks.
• Unseeable prompt injections in screenshots: more vulnerabilities in Comet and other AI browsers - Maybe steer clear of the AI browsers until the fundamental issue of untrusted data in LLM contexts is solved.

Tools and Exploits

• HawkTrace CVE-2025-59287 - WSUS exploit proof of concept. Blog post
• Honeypot-for-CVE-2025-59287-WSUS - Defensive PoC decoy for CVE-2025-59287 (WSUS) - emulates WSUS endpoints, captures request bodies and metadata, saves evidence for forensic analysis, and provides validation harness and detection rules.
• Find-WSUS - Helps defenders find their WSUS configurations in the wake of CVE-2025-59287.
• DumpGuard - Proof-of-Concept tool for extracting NTLMv1 hashes from sessions on modern Windows systems. Full details: Catching Credential Guard Off Guard.
• rpc2efs - Unauthenticated start EFS service on remote Windows host (make PetitPotam great again).
• printerbugnew - The DCERPC only printerbug.py version.
• Apollo - A fork of the Mythic Apollo agent with support for the HTTPx C2 malleable profile.
• oswatcher - "Git for Operating Systems" - Track OS evolution, browse any version's filesystem, diff between any OS snapshot (release or update).
• WILDBEAST - Windows capability development using GCC and GNU Make.
• gopengraph - A Go library to create BloodHound OpenGraphs easily.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• slice - SAST + LLM Interprocedural Context Extractor.
• raink - Bleeding-edge fork of raink 🩸 Use LLMs for document ranking.
• Wyrm - The dragon in the dark. A red team post exploitation framework for testing security controls during red team assessments.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.