Jan 01 1970 Sponsor Demo - SO

News

• MiraclePtr: protecting users from use-after-free vulnerabilities on more platforms. The Chrome team has taken steps to protect against user-after-free vulnerabilities, and it's paying off (at the price of 1-3% worse performance)!
• Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard. Why could a non-production test tenant access senior leadership email? Interesting that these actors were looking for information about themselves. Very nation-statey.

• Specter Bash 2025 – October 6–9, 2025 | Denver, CO is SpecterOps' annual training event with a Halloween twist. Over four days, participants take part in SpecterOps courses on Red Team Operations, Tradecraft Analysis, Identity-driven Offensive Tradecraft, and Detection, led by the team behind BloodHound. When classes wrap up, evening sessions and community gatherings keep the energy going and give plenty of opportunities to connect with one another. Can’t attend in person? They have virtual options too! Last Week in Security readers get an exclusive 25% discount with code LWIS. Get the full details and register here. Sponsored

Techniques and Write-ups

• Calling Home, Get Your Callbacks Through RBI - If you're a fan of cloudflare. This is a good read. Circumvent Remote Browser Isolation (RBI) technology during offensive assessments.
• Ransomware Deployment Attempts Via TeamViewer - Traitorware is back at it again!
• Level Up Your Reporting - Fundamental concepts of writing a good offensive security report. Except you should never use pixelation to redact data!
• Stealing your email with a .txt file - Haven't seen a lot of enterprise wide use of roundcube but still a cool bug being exploited.
• Web3's Achilles' Heel: A Supply Chain Attack on Astar Network - Another episode of self-hosted runner exploitation. The researcher is banned from a bug bountry platform after hacking all the things... "The vulnerability allowed anyone who could fix a typo in the astarNetwork/astar repository to modify the release binaries for their validator nodes and wasm runtimes." He modified a 2 week old release with a single print statement, a release that would not be pulled by anyone following the docs to set up a validator. Seems like a reasonable PoC to me. 🤷
• Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining - We hope to see these more and more in the future. Technical write-ups of what threat actors are doing in the cloud can help shape our adversary simulation strategy.
• Outlook Vulnerability Discovery and New Ways to Leak NTLM Hashes - Another outlook vuln fresh off the press. Windows just really, really, wants to authenticate with NTLMv2.
• Insomni'hack 2024 CTF Teaser - Cache Cache. Normally I don't post CTF write ups, but this is a unique, Windows challenge based on a real vulnerability class (and a well done write up by the challenge author).
• The Second Wednesday Of The First Month Of Every Quarter: Juniper 0day Revisited. I am no longer surprised by insecure security appliances.
• Do not trust this Group Policy!. Some interesting GPO based LPEs that won't be fixed (for now).

Tools and Exploits

• Cobalt-Strike-Profiles-for-EDR-Evasion - Some ideas to modify CS profiles to bypass simple EDR checks. However, if you want to use SourcePoint I'm not sure I would trust the copy in this random repository...
• GraphStrike - Cobalt Strike HTTPS beaconing over Microsoft Graph API implemented as a user defined reflective loader (URDL). Appreciate the Why? section on this one. Better hope those Blue team network sensors have really good anomaly detection, because this will use legitimate microsoft domains for C2. However, now you have Microsoft's threat team to deal with, and there has been some discussion that they will ban accounts that conduct C2 over their API if they detect it.

• BloodHound OpenGraph Challenge - OpenGraph is live in BloodHound 8.0, and SpecterOps wants to see what you can do with it. Share your research, writeups, or talks for a chance at challenge coins, swag, and even SpecterOps training or a trip to SO-CON 2026. Submit your work here. Sponsored

• hi_my_name_is_keyboard. Zero click Bluetooth exploits for Android prior to the 2023-12-05 security patch (and Android <= 10 forever). Nice close access method to get payloads on an Android phone (assuming the target won't notice their screen acting up on its own). It also works against macOS and iOS (iOS < 17.2, Magic Keyboard Firmware < 2.0.6) if you can trigger it exactly when the computer/phone attempts to connect with an Apple Magic keyboard via Bluetooth.
• slippy-book-exploit - CVE-2023-44451, CVE-2023-52076: RCE Vulnerability affected popular Linux Distros including Mint, Kali, Parrot, Manjaro etc. EPUB File Parsing Directory Traversal Remote Code Execution.
• atril_cbt-inject-exploit - CVE-2023-44452, CVE-2023-51698: CBT File Parsing Argument Injection that affected Popular Linux Distros.
• Awaiting the Awaitables - Building the AwaitFuscator. I doubt this is practical for programs of any complexity, but it's got to be one of the most bizarre obfuscators since the movfuscator. Code here.
• proxy-helper-the-sequel - Port/rework of proxy-helper plugin for hak5 Pineapples.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.