Summary5 min read

Risky Bulletin: WSUS Bug Under Attack

Podcast: Risky Bulletin (risk.biz)
Date: October 27, 2025
Host/Reader: Claire Aird
Prepared by: Catalyn Kim Panu

Overview

This episode delivers a rapid-fire update on the latest global cybersecurity news. The main theme centers on a critical, actively exploited vulnerability in Microsoft WSUS, but it also covers significant law enforcement actions, data breaches, regulatory changes, and emerging attack techniques worldwide.

Key Discussion Points & Insights

1. Active Exploitation of Microsoft WSUS Vulnerability

Details:
- Microsoft has issued an out-of-band patch for a remote code execution (RCE) vulnerability in Windows Server Update Services (WSUS).
- WSUS is critical for deploying Windows OS updates in closed networks.
- Exploit allows remote attackers to execute code on WSUS servers.
- Proof of concept code was released earlier in the month, and exploitation has since been observed by CISA, Huntress, Horizon 3, and iSecurity.
Notable Quote:

“The update patches a vulnerability that’s being exploited in the wild. It targets the WSUS component, which helps administrators deploy Windows OS updates inside closed networks. The vulnerability allows remote code execution on WSUS servers.” (A, 00:17)

2. International Cybercrime & Enforcement

a. US Charges High-Tech Poker Cheats

Details:
- 31 individuals, including ex-NBA coach Chauncey Billups, ex-NBA player Dee Jones, and Italian mob members, charged in a poker cheating scam.
- Scheme involved hacking card shuffling machines and using special sunglasses/contact lenses to detect invisible ink on cards.
- Victims lost at least $7 million.
Notable Quote:

"The group also used specially designed sunglasses and contact lenses to read the back of playing cards that had been marked with invisible ink. Victims allegedly lost at least $7 million." (A, 00:53)

b. Thailand Revokes Citizenship Over Scam Compounds

Details:
- Cambodian businessman/Senator Fatsupapa (aka Lee Yong Fat) lost Thai citizenship for running scam compounds.
- Authorities seized $2.1 million.
- Seen as a signal from the new PM that the government will act tougher on scams.
Notable Quote:

"Thailand’s new prime minister, Anutin Chan Virakul, said the revocation shows the government’s intention to be tougher on scam crimes." (A, 01:33)

c. Iran’s Hacking School Breached

Details:
- Ravin Academy database leaked before its annual hacking contest; included names, phone numbers, and class info.
- Recently sanctioned by the US for training hackers tied to MOIS.

3. Regulatory & Policy Changes

EU vs Meta and TikTok:
- Both companies found to be violating the Digital Services Act (DSA) by restricting access to data for academics/researchers and providing poor appeal options to users.
- Possible fines: up to 6% of global turnover if found in violation.
“If the European Commission ultimately rules against the companies, they could be fined up to 6% of their global annual turnover.” (A, 02:03)
Russia Mulls Legalizing Security Research:
- New bill may require researchers to report vulnerabilities, intending to legalize white-hat hacking.

4. Cyber Attacks and Data Breaches

Russia’s Agricultural Watchdog Attacked (02:42):
- Hit by a second major attack this year, causing food delivery delays due to compromised certification platforms (Mercury and Vetiz).
India’s WazirX Exchange Resumes After Hack:
- Service returns after a $235 million hack and subsequent court-approved restructuring.
French Shooting Federation Data Breach (03:24):
- Nearly 274,000 members’ personal data stolen in a recent hack.
Transport for London Ransomware Impact (03:48):
- Two teenagers tied to Scattered Spider group charged; attack cost £39 million, trial set for June 2026.
Belarus Blocks Russian Social Network VK (04:09):
- Censorship action by Belarusian authorities, likely due to unfavorable news shared on the site.

5. Emerging Threats and Attack Techniques

Phishing Campaign Targets LastPass Users (04:24):
- Sends emails claiming recipients are dead, luring users into revealing their master passwords; tied to Crypto Chameleon.
“Users receive an email claiming they’ve been declared deceased by a family member and includes a death certificate as proof… When users attempt to cancel reports of their deaths, they authenticate and share their master passwords with the attackers.” (A, 04:27)
Ransomware Payments Hit Historic Low:
- Only 23% of ransomware victims paid in Q3, the lowest on record according to Coveware.
VoIP/SIP Server Vulnerabilities Exploited (05:17):
- Active exploitation of flaws in Taiwanese 5V Technologies' VoIP/SIP software since January.

6. Security Research Findings and Industry Updates

NTLM v1 Hash Extraction from Windows:
- Spectrops finds a way to extract NTLM v1 hashes on fully patched Windows using Remote Credential Guard.
- Microsoft says this is by design, will not fix.
HP Withdraws Faulty One Agent Update:
- Update deleted critical certificates, leading to user disconnections from enterprise services.

7. Microsoft Teams Location Feature

Organizations will soon be able to locate employees based on Wi-Fi networks via Teams on Mac and Windows.
Rollout planned for December.
Quote:

“The feature is designed to let colleagues know what building a staff member is working in.” (A, 06:23)

Memorable Quotes

On the WSUS Exploit:

“Proof of Concept code was published earlier this month and attacks have since been spotted by CISA, Huntress, Horizon 3 and iSecurity.” (A, 00:30)
On Ransomware Payment Rates:

“The low figure validates the efforts of cyber defenders and law enforcement.” (A, 05:04)

Timestamps for Key Segments

| Segment | Timestamp | |-----------------------------------------------------|---------------| | WSUS Vulnerability Under Attack | 00:04–00:44 | | US Poker Cheating Charges | 00:44–01:14 | | Iran’s Hacking School Breached | 01:14–01:33 | | Thailand Scam Citizenship Revocation | 01:33–02:03 | | EU DSA vs Meta/TikTok | 02:03–02:26 | | Russia’s Vulnerability Reporting Proposal | 02:26–02:42 | | Russia Agricultural Agency Cyber Attack | 02:42–03:03 | | WazirX Exchange Returns After Hack | 03:03–03:17 | | French Shooting Federation Data Breach | 03:17–03:36 | | London Ransomware Attack/Arrests | 03:36–04:09 | | Belarus Blocks VK | 04:09–04:24 | | LastPass Dead-Phishing Attack | 04:24–05:04 | | Ransomware Victim Payment Rates | 05:04–05:17 | | 5V Technologies VoIP Vulnerabilities | 05:17–05:32 | | Spectrops Windows NTLM Hash Extraction | 05:32–05:52 | | HP One Agent Certificate Fault | 05:52–06:11 | | Microsoft Teams Wi-Fi Location Update | 06:11–06:25 |

Tone & Style

Retains the Risky Business team's concise, direct reporting style: focused, authoritative, and occasionally dryly humorous. The episode moves briskly from one item to the next, prioritizing urgent threats and impactful developments.

Conclusion

This Risky Bulletin compresses a week’s worth of global cybersecurity incidents and insights into a highly digestible format. Key takeaways: Watch out for the live WSUS exploit; major international cybercrime busts and data leaks continue; ransomware payment rates plummet; and new attacker techniques and policy shifts could significantly shape the landscape for defenders and researchers alike.

Loading summary

Transcript1 lines

[00:04]
A
A bug in Microsoft WSUS is under attack, Thailand revokes the citizenship of a scam linked businessman, the US charges high tech poker cheats and Iran's top hacking school is breached. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 27th of October and this podcast episode is brought to you by Knock Knock. In today's top story, Microsoft has released an out of band security update for Windows Server Update Services. The update patches a vulnerability that's being exploited in the wild. It targets the WSUS component, which helps administrators deploy Windows OS updates inside closed networks. The vulnerability allows remote code execution on WSUS servers. Proof of Concept code was published earlier this month and attacks have since been spotted by CISA, Huntress, Horizon 3 and iSecurity. In other news, US authorities have charged 31 individuals over their roles in a poker cheating scheme that used hacked card shuffling machines. Suspects include former NBA coach Chauncey Billups, former NBA player Dee Jones and members of the Italian mob. The the group used celebrities to lure victims to high stakes poker games which were rigged by the hacked machines. The group also used specially designed sunglasses and contact lenses to read the back of playing cards that had been marked with invisible ink. Victims allegedly lost at least $7 million. A private school that trains hackers for Iran's intelligence service has suffered a security breach. A database containing information about students of the Ravin Academy was published online last. The data contains student names, phone numbers and classes attended. The leak occurred days before Ravin Academy was set to hold its annual Tech Olympics hacking contest. The US treasury sanctioned the academy in 2022 for training hackers for the MOIS. Thailand has revoked the citizenship of a Cambodian businessman for running scam compounds. Authorities seized $2.1 million from Fatsupapa. Thailand's new prime minister, Anutin Chan Virakul, said the revocation shows the government's intention to be tougher on scam crimes. Supapa is a Cambodian senator who also goes by the name of Lee Yong Fat. He was sanctioned by the US treasury in September last year. The EU says Meta and TikTok are violating the bloc's Digital Services act by not providing academics and researchers access to their data. In a preliminary investigation, Meta was also found in violation of the DSA because Facebook and Instagram didn't provide users an easy way to appeal suspensions or content removal. If the European Commission ultimately rules against the companies, they could be fined up to 6% of their global annual turnover. Russia may require security researchers to report vulnerabilities to the state. The requirement is part of a new bill that, if passed, will would legalise White hat Security Research. Russia's been attempting to regulate the field since 2022. A cyber attack on Russia's agricultural and food safety watchdog has caused delays in food delivery. The attacks targeted two certification platforms, Mercury and Vetiz. This was the second cyber attack on the platforms this year. Both also went down after an incident in June. Food producers and logistics companies need certificates in issued by the platforms to transport products across Russia. India's WazirX cryptocurrency exchange has resumed trading 15 months after a major security breach. The company was hacked for $235 million worth of assets last July, according to Coindesk. The exchange has relaunched after a Singaporean high court approved restructuring. The French shooting federation is notifying members of a security breach. Hackers stole the personal data of almost 274,000 members. This includes license holders across multiple shooting disciplines. The hack occurred on October 18. A 2024 ransomware attack against Transport for London cost the organisation 39 million pounds. Two teenage members of the Scattered Spider group, aged 18 and 19, appeared in a UK court on Friday for their roles in the incident. The the trial's been set for June 2026. The Belarusian government has blocked access to Russian social network vk. The order came from the country's intelligence agency, which offered no explanation. Belarusian officials have previously blocked VK after news articles that the regime didn't like were shared on the platform. A phishing campaign is asking LastPass users if they're dead. Users receive an email claiming they've been declared deceased by a family member and includes a death certificate as proof. When users attempt to cancel reports of their deaths, they authenticate and share their master passwords with the attackers. LastPass linked the campaign to Crypto Chameleon, a group known for targeting the crypto community. Less than one quarter of ransomware victims are paying. Data gathered by ransomware negotiator Coveware revealed that just 23% of ransoms were paid in the third quarter of this year. This is the lowest on record. The company says. The low figure validates the efforts of cyber defenders and law enforcement. Threat actors are leveraging vulnerabilities in VoIP and SIP servers using software from Taiwanese firm 5V Technologies. Attacks have been observed by the SANS Internet Storm Centre, the Shadow Server foundation and Vulnchek. Exploitation began in January using at least two vulnerabilities. Security firm Spectrops has discovered a technique to extract NTLM v1 hashes from up to date versions of Windows. The technique leverages Remote Credential Guard, a mechanism added to support the Remote Desktop Protocol, an open source tool to demo the attack has been released. Microsoft concluded that this is the intended behaviour and will not fix it. HP has pulled a faulty update for the One Agent app that deleted certificates from customer devices. The faulty update removed all certificates containing the string 1E in its subject, issuer or friendly name. One of the certificates that was unintentionally removed was for Ms. Organization Access, used by Windows to authenticate to entra. This disconnected users from enterprise networks and prevented them from logging in. And finally, organizations using Microsoft Teams will be able to locate employees based on nearby WI FI networks. The feature is designed to let colleagues know what building a staff member is working in. The new feature is expected to roll out in December for Mac and Windows desktop clients, and that is all for this podcast edition. Today's show is brought to you by Knock Knock. Find them at Knock Knock IO. Thanks for your company.