Risky Bulletin: WSUS Bug Under Attack
Podcast: Risky Bulletin (risk.biz)
Date: October 27, 2025
Host/Reader: Claire Aird
Prepared by: Catalyn Kim Panu
Overview
This episode delivers a rapid-fire update on the latest global cybersecurity news. The main theme centers on a critical, actively exploited vulnerability in Microsoft WSUS, but it also covers significant law enforcement actions, data breaches, regulatory changes, and emerging attack techniques worldwide.
Key Discussion Points & Insights
1. Active Exploitation of Microsoft WSUS Vulnerability
- Details:
- Microsoft has issued an out-of-band patch for a remote code execution (RCE) vulnerability in Windows Server Update Services (WSUS).
- WSUS is critical for deploying Windows OS updates in closed networks.
- Exploit allows remote attackers to execute code on WSUS servers.
- Proof of concept code was released earlier in the month, and exploitation has since been observed by CISA, Huntress, Horizon 3, and iSecurity.
- Notable Quote:
“The update patches a vulnerability that’s being exploited in the wild. It targets the WSUS component, which helps administrators deploy Windows OS updates inside closed networks. The vulnerability allows remote code execution on WSUS servers.” (A, 00:17)
2. International Cybercrime & Enforcement
a. US Charges High-Tech Poker Cheats
- Details:
- 31 individuals, including ex-NBA coach Chauncey Billups, ex-NBA player Dee Jones, and Italian mob members, charged in a poker cheating scam.
- Scheme involved hacking card shuffling machines and using special sunglasses/contact lenses to detect invisible ink on cards.
- Victims lost at least $7 million.
- Notable Quote:
"The group also used specially designed sunglasses and contact lenses to read the back of playing cards that had been marked with invisible ink. Victims allegedly lost at least $7 million." (A, 00:53)
b. Thailand Revokes Citizenship Over Scam Compounds
- Details:
- Cambodian businessman/Senator Fatsupapa (aka Lee Yong Fat) lost Thai citizenship for running scam compounds.
- Authorities seized $2.1 million.
- Seen as a signal from the new PM that the government will act tougher on scams.
- Notable Quote:
"Thailand’s new prime minister, Anutin Chan Virakul, said the revocation shows the government’s intention to be tougher on scam crimes." (A, 01:33)
c. Iran’s Hacking School Breached
- Details:
- Ravin Academy database leaked before its annual hacking contest; included names, phone numbers, and class info.
- Recently sanctioned by the US for training hackers tied to MOIS.
3. Regulatory & Policy Changes
- EU vs Meta and TikTok:
- Both companies found to be violating the Digital Services Act (DSA) by restricting access to data for academics/researchers and providing poor appeal options to users.
- Possible fines: up to 6% of global turnover if found in violation.
“If the European Commission ultimately rules against the companies, they could be fined up to 6% of their global annual turnover.” (A, 02:03)
- Russia Mulls Legalizing Security Research:
- New bill may require researchers to report vulnerabilities, intending to legalize white-hat hacking.
4. Cyber Attacks and Data Breaches
- Russia’s Agricultural Watchdog Attacked (02:42):
- Hit by a second major attack this year, causing food delivery delays due to compromised certification platforms (Mercury and Vetiz).
- India’s WazirX Exchange Resumes After Hack:
- Service returns after a $235 million hack and subsequent court-approved restructuring.
- French Shooting Federation Data Breach (03:24):
- Nearly 274,000 members’ personal data stolen in a recent hack.
- Transport for London Ransomware Impact (03:48):
- Two teenagers tied to Scattered Spider group charged; attack cost £39 million, trial set for June 2026.
- Belarus Blocks Russian Social Network VK (04:09):
- Censorship action by Belarusian authorities, likely due to unfavorable news shared on the site.
5. Emerging Threats and Attack Techniques
- Phishing Campaign Targets LastPass Users (04:24):
- Sends emails claiming recipients are dead, luring users into revealing their master passwords; tied to Crypto Chameleon.
“Users receive an email claiming they’ve been declared deceased by a family member and includes a death certificate as proof… When users attempt to cancel reports of their deaths, they authenticate and share their master passwords with the attackers.” (A, 04:27)
- Ransomware Payments Hit Historic Low:
- Only 23% of ransomware victims paid in Q3, the lowest on record according to Coveware.
- VoIP/SIP Server Vulnerabilities Exploited (05:17):
- Active exploitation of flaws in Taiwanese 5V Technologies' VoIP/SIP software since January.
6. Security Research Findings and Industry Updates
- NTLM v1 Hash Extraction from Windows:
- Spectrops finds a way to extract NTLM v1 hashes on fully patched Windows using Remote Credential Guard.
- Microsoft says this is by design, will not fix.
- HP Withdraws Faulty One Agent Update:
- Update deleted critical certificates, leading to user disconnections from enterprise services.
7. Microsoft Teams Location Feature
- Organizations will soon be able to locate employees based on Wi-Fi networks via Teams on Mac and Windows.
- Rollout planned for December.
- Quote:
“The feature is designed to let colleagues know what building a staff member is working in.” (A, 06:23)
Memorable Quotes
- On the WSUS Exploit:
“Proof of Concept code was published earlier this month and attacks have since been spotted by CISA, Huntress, Horizon 3 and iSecurity.” (A, 00:30)
- On Ransomware Payment Rates:
“The low figure validates the efforts of cyber defenders and law enforcement.” (A, 05:04)
Timestamps for Key Segments
| Segment | Timestamp | |-----------------------------------------------------|---------------| | WSUS Vulnerability Under Attack | 00:04–00:44 | | US Poker Cheating Charges | 00:44–01:14 | | Iran’s Hacking School Breached | 01:14–01:33 | | Thailand Scam Citizenship Revocation | 01:33–02:03 | | EU DSA vs Meta/TikTok | 02:03–02:26 | | Russia’s Vulnerability Reporting Proposal | 02:26–02:42 | | Russia Agricultural Agency Cyber Attack | 02:42–03:03 | | WazirX Exchange Returns After Hack | 03:03–03:17 | | French Shooting Federation Data Breach | 03:17–03:36 | | London Ransomware Attack/Arrests | 03:36–04:09 | | Belarus Blocks VK | 04:09–04:24 | | LastPass Dead-Phishing Attack | 04:24–05:04 | | Ransomware Victim Payment Rates | 05:04–05:17 | | 5V Technologies VoIP Vulnerabilities | 05:17–05:32 | | Spectrops Windows NTLM Hash Extraction | 05:32–05:52 | | HP One Agent Certificate Fault | 05:52–06:11 | | Microsoft Teams Wi-Fi Location Update | 06:11–06:25 |
Tone & Style
Retains the Risky Business team's concise, direct reporting style: focused, authoritative, and occasionally dryly humorous. The episode moves briskly from one item to the next, prioritizing urgent threats and impactful developments.
Conclusion
This Risky Bulletin compresses a week’s worth of global cybersecurity incidents and insights into a highly digestible format. Key takeaways: Watch out for the live WSUS exploit; major international cybercrime busts and data leaks continue; ransomware payment rates plummet; and new attacker techniques and policy shifts could significantly shape the landscape for defenders and researchers alike.