News

• U.S. Secret Service dismantles imminent telecommunications threat in New York tristate area - A "nation-state threat actor" set up, "more than 300 co-located SIM servers and 100,000 SIM cards across multiple sites." The Secret Service claims this was to disrupt the United Nations general assembly happening in New York City. However, "within 35 miles" puts them really far away from the UN headquarters in NYC. It's probably just a standard SMS spam farm.
• [LinkedIn] In 2024, we observed a Time-to-exploit of -1 - A paywalled report from Google Threat Intelligence shows that in 2024 vulnerabilities are being exploited before they are publicly known more often than after disclosure. Since the report is for customers only, it's not possible to know the methodology or sampling bias for this data unfortunately. Engagement bait?
• Analysis of a Ransomware Breach - Mudge reflects on Kerberosting, the security conversation, and Senator Wyden's letter to the FTC (covered last week). If Microsoft had decided that Active Directory privilege escalation was a core issue in 2011, what would the cybersecurity industry look like today?
• Join the Huntress Annual Capture the Flag - "Every October for Cybersecurity Awareness Month, thousands of defenders join our month-long Capture the Flag competition. Whether you’re new to cybersecurity or a seasoned pro, you’ll face daily puzzles and real-world attack simulations that sharpen your skills and keep you on your toes."
• FlareOnOS v12.2 - "The Flare-On Challenge is the FLARE team's annual Capture-the-Flag (CTF) contest. It is a single-player series of Reverse Engineering puzzles that runs for every fall."

Techniques and Write-ups

• Is This Bad? This Feels Bad. (Fortra GoAnywhere CVE-2025-10035) - Spoiler: It Is Bad (Part 2).
• The Phantom Extension: Backdooring Chrome Through Uncharted Pathways - Browser access may be the only thing you need to accomplish operational objectives, and therefore getting a Chrome extension installed without tripping defenses is paramount. This post shows exactly that as well as three techniques to bypass enhanced developer mode security. The Synacktiv private Chrome C2 "Cheef" looks pretty sweet as well.
• FIDO Cross Device Phishing - "This works ONLY if attacker has placed device(s) in BLE range (~150m) near the victim(s)." Physical Fast IDentity Online (FIDO) tokens, are still the gold standard of authentication.
• You name it, VMware elevates it (CVE-2025-41244) - A trivial local privilege escalation for Linux guests running VMware Tools.
• BYOVD to the next level (part 1) — exploiting a vulnerable driver (CVE-2025-8061) - A Windows local privilege escalation using a Lenovo driver (LnvMSRIO.sys, patched 2025-09-09). Also note that Hypervisor-Enforced Code Integrity (HVCI) was disabled for this exploit.
• DCOM Again: Installing Trouble - Use the Windows Installer Custom Action server to install a driver remotely for lateral movement. I think it's funny that the Microsoft Installer internal name is Darwin, the same name Apple uses for the core Unix-like operating system that power macOS, iOS, watchOS, etc. Naming things is hard.
• Is Mouse Input Random Enough for Generating Secret Keys? - Short answer: it depends on how many points you collect and if you enforce a minimum travel distance between point collection, but it's probably good enough to be a source of randomness for generating a secure cryptographic key.

Tools and Exploits

• ConstructingDefenseLab - Ludus range for the Constructing Defense Lab.
• msi_lateral_mv - Lateral Movement Bof with MSI ODBC Driver Install.
• SetupHijack - SetupHijack is a security research tool that exploits race conditions and insecure file handling in Windows applications installer and update processes.
• Appledb_rs, a Research Support Tool for Apple Platforms - This is the Windows Binaries Index for macOS/iOS. Code is: appledb_rs.
• OmniProx: Multi-Cloud IP Rotation Made Simple - AWS changed their terms of service which technically made using AWS for IP rotation (a la fireprox) a violation of the terms (but not criminal). Code is: OmniProx.
• GunnerC2 - A modern, operator-friendly Command-and-Control framework for authorized red-team operations and research.
• AdaptixC2 v0.9 - Another update to the great open source C2.
• ThreadCPUAssignment_POC - A small experiment on assigning a processes threads a specific CPU and then blocking it with a high priority thread.
• WerDump - A Beacon Object File (BOF) for Havoc/CS to Bypass PPL and Dump Lsass.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• [YouTube] Is the iPhone 17 the First Un-Breakable Phone? - A good video breakdown of the Memory Tagging Extension released in iOS 26 for the new iPhone 17 series (covered two weeks ago).
• [YouTube] I build a machine that turns you into a criminal - Interesting technical art piece.
• 0day.today.archive - An archive of 0day.today exploits.
• EasyTier - A simple, decentralized mesh VPN with WireGuard support.
• styx-emulator - Multi-architecture emulation for the modern era.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.