Risky Business #812 – Alleged Trenchant Exploit Mole Is Ex-ASD

Date: October 29, 2025
Host: Patrick Gray
Co-host: Adam Boileau
Sponsor Interview Guest: Matt Muller (Tines)

Overview

This episode centers around the arrest of a Trenchant (L3 Harris subsidiary) executive for allegedly stealing and selling exploit-related trade secrets to a Russian buyer—the accused is reported to have a significant background with the Australian Signals Directorate (ASD). In classic “Risky Business” style, Patrick and Adam unpick the security news of the week, from the inside scoop on this espionage-adjacent story to the latest on WSUS bugs, SpecterOps research, ransomware trends, and a range of tech oddities. The show closes with a sponsor interview on the adoption of AI in security automation.

Key Discussion Points & Insights

1. L3 Trenchant Trade Secret Theft: From Insider to “Mole”

[00:48 – 12:00]

• Background:
  The story emerged that a general manager at L3 Trenchant (formerly Linchpin Labs)—identified via court documents as Peter Williams—has been arrested and indicted for stealing and selling company “trade secrets” to a Russian buyer.

  • Williams was not originally suspected; prior coverage suggested a fired Trenchant employee was being wronged—now the story’s “twist” is the boss is the actual leaker.

• Williams’ Background:

  • “He is ex-ASD. This means he was an Australian Intelligence Community insider.” (Patrick, 04:03)
  • Williams joined ASD circa 2007, moved to Linchpin Labs in the mid-2010s, worked on security/implants rather than pure vulnerability research, didn’t migrate to the US until 2022/23.

• Legal Nuances & Fallout:

  • The US is charging Williams with “trade secrets” violations, not espionage.
  • Likely reason: exploits aren’t classified as national defense documents, and/or there may be cooperation between Williams and law enforcement.
    • “I do find it interesting that he's being charged with trade secret charges as opposed to espionage.” (Patrick, 02:44)
    • Williams is currently on home arrest, suggesting possible cooperation (05:12).

• ASD Media Response:
  Patrick recounts a “ridiculous” non-comment from the ASD, and expresses deep concern that no one at ASD is formally looking into Williams’ previous activities or work-product for the agency.

  “For them to reply and say this is a matter for law enforcement, I would posit no, this is a matter for ASD to actually investigate what this guy might have touched.” (Patrick, 09:08)

• Community Reaction:

  • The story reignites debate about private sector exploit development and state security.

  • Patrick calls out “brain dead” arguments that private sector exploit dev shouldn’t exist:

    “Do you think the bad guys are just going to be... ‘oh, the Yanks and the Five Eyes countries are no longer developing exploits. We should stop too.’ The arguments around all of this are completely brain dead, like unbelievably thick.” (Patrick, 06:25)

  • Admiration for Lorenzo from TechCrunch for doggedly pursuing the story for months (10:47).

Key Quote

• “The only problem with that argument, Adam, is it's completely ridiculous... The arguments around all of this are completely brain dead, like unbelievably thick.”
  — Patrick Gray, 06:25

2. WSUS Bugs, Active Exploitation, and Microsoft Patch Blunders

[12:18 – 18:43]

• Active WSUS Exploitation:

  • Recent O-day in Windows Server Update Services (WSUS) is under active exploitation. The actual exploited bug was not the same as the one first reported last week.
  • Too many servers (~7-8,000) are exposed to the internet, partly because of changed remote work habits post-2020.

• Bug Nuances:

  • Two different but similar bugs: both are deserialization vulnerabilities; one involved weak encryption with a hardcoded key, but the second (the currently exploited one) is simpler pre-auth code execution.
  • Microsoft’s patching communication/approach added confusion.

• Analysis:

  • Fundamental issue: “Microsoft should not have two years later had a second bug in WSUS in this style. Like, no, I shouldn't have got that right.” (Adam, 17:35)
  • Argument that pandemic-era remote work led to more WSUS servers being internet-facing, raising enterprise risk.

Key Quote

• “There really shouldn't be deserialization zero days in it. And the fact that Microsoft fixed one in 2023 and then didn't review the rest of the code base... like, no, I shouldn't have got that right.”
  — Adam Boileau, 17:35

3. SpecterOps Research: Defeating Windows’ Credential Guard

[18:43 – 24:55]

• Summary:
  SpecterOps published groundbreaking research revealing how attackers can extract credentials from Windows’ much-vaunted Credential Guard, originally designed to block precisely this type of credential harvesting.

• Exploitation:
  Attackers can leverage RDP’s interaction with Credential Guard to obtain NTLM password hashes and Kerberos tickets under certain circumstances.

  • Microsoft’s response: “intended behavior,” not a bug.

• Reaction:

  • Patrick and Adam both heap praise on SpecterOps for the technical feat, empathetically noting the likely pain for both SpecterOps and the Microsoft Security Response Center.

• Broader Point:
  “Harder is good, but harder is the best they can do. They can't make it impossible.” (Adam, 24:11)

4. DNS Cache Poisoning Returns: The Kaminsky Attack Reborn

[24:55 – 29:13]

• Dan Gooden’s Write-up:
  New research demonstrates that decades-old DNS cache poisoning attacks are becoming viable again due to predictable random number generation for UDP source ports.

• Fix:
  Upgrading PRNG fixes the vulnerability for affected DNS servers. The story is a “blast from the past,” and the hosts reflect on the surprising longevity and effects of protocol-level kludges.

5. Ransomware as a Service: Qilin Group Analysis

[29:13 – 32:03]

• Cisco Talos Research:
  Qilin (or “Key Lin”/QILIN) is named as the latest “hot” ransomware-as-a-service operation, but their techniques are notably mundane (WinRAR for exfiltration, Mimikatz, Powershell, etc.). Entry vector is mostly credential-based.

• Notable Trend:
  Patrick notes the “new dynamic” where ransomware groups must remain small enough to avoid disruption by law enforcement or vigilantes, and jokes about ransomware automation becoming “agentic”/AI-driven (“my advice to them is you gotta jump on the agentic bandwagon…” 32:03).

6. Miscellaneous Security News

• X.com Deprecates Twitter.com—Security Keys Affected
  [32:03 – 33:41]

  • Users are required to re-enroll hardware security keys because the domain change breaks WebAuthn anti-phishing protections.
  • “This proves that it actually works.” (Adam, 33:41)

• SpaceX/Starlink Disables 2,000+ Dishes Used by Myanmar Scam Compounds
  [34:20 – 36:00]

  • SpaceX only acted following threat of Congressional hearings; Patrick criticizes their communications spin.
  • Notable aside: Chinese courts sentenced members of a scam gang to death after a crackdown on trafficking operations—leading to dark humor between hosts.

• Imminent Starlink Outage if Hardware Not Updated
  [36:49 – 39:04]

  • Patrick and Adam speculate it’s likely a certificate expiry issue.

• Mentor Labs (ex-HackingTeam) Targeting Russian/Belarusian Orgs
  [39:04 – 41:41]

  • Kaspersky observed modern attacks using evolved/rewritten hacking team tooling and a Chrome zero day.
  • “Always interesting watching incident response from the other side.” (Adam, 40:54)

• Polish Former Official Accused of Using Crime Victim Funds to Buy NSO Spyware
  [41:41 – 43:46]

  • $7M misappropriated; used Pegasus to spy on domestic political rivals.
  • “That's some retroactively changing history right there, buddy.” (Adam, 43:18)

• HP 1E Crapware Deletes Critical Certificates
  [43:46 – 47:03]

  • Faulty update wipes certificates essential for cloud/domain access, orphaning thousands of endpoints—possibly via a GenAI-generated script.
  • “You should only trust it to do what you would trust a work experience kid to do.” (Patrick, 45:31)

• Windows’ SSH (OpenSSH) as a Swiss Army Knife for Hackers
  [47:03 – 48:22]

  • New Zealand’s Pulse Security blog post details misuse of SSH.exe on Windows for stealthy access and persistence.
  • “OpenSSH is the best hacker tool ever shipped.” (Adam, 47:38)

• Mob-Run Poker Games Using Hacked Card Shufflers
  [48:40 – 52:00]

  • Andy Greenberg’s Wired piece recounts mob-controlled poker using modded card shufflers with cameras and app tie-ins.
  • “It felt movie hacking … raked in something like $7 million.” (Adam, 51:13)

Sponsor Interview: Matt Muller, Tines

[53:54 – 65:33]

Theme: How security teams are adopting AI for automation using Tines’ pre-built workflows.

AI Automation Trends in Security

• Alert Triage is ‘the’ Killer Use Case:

  • “AI is really helpful where there's just what I call the terrifying tedium… 99% of the time you might actually be looking at false positives.” (Matt, 53:54)
  • AI is best for repetitive, rules-based triage, but not always the most efficient—traditional automation can be preferable for some tasks.

• AI is Not a Replacement for Tuning:

  • AI can help, but “you've got these models, they can actually give you feedback on what you should be doing to your detections to make them more efficient.” (Patrick, 54:58)

• Multiple AI Agents Over Monolithic “Junior Analyst” Model:

  • “You're probably going to need multiple different AI agents to all sort of decompose the problem… don't just stuff everything into one agent.” (Matt, 55:23)

• Beyond the SOC:

  • AI-powered workflows increasingly extend to IT use cases, including user on/offboarding and access approval, adding real risk control versus manual or isolated tools.

• Consistency Over Brilliance:

  • “LLMs are consistent. Right. Or more consistent. ... at least they will try to follow a semblance of a documented process that's been given to them.” (Matt, 60:35)
  • AI can embed process and checks that humans often skip (e.g., help desk password resets).

• Buy-vs-Build and Adoption Pattern:

  • Tines sits between buying and building—customers want flexible automation but benefit from a large pre-canned workflow library (~1,000 templates).
  • Predefined AI-enabled automations are popular because users lack confidence writing prompts from scratch.

Memorable Sponsor Segment Quote

“I think for us, sort of seeing that missing puzzle piece of saying yes, people want to be able to build, but if you're building a workflow that's kind of the same across a bunch of different organizations, maybe we can help you shortcut that as well.”
— Matt Muller, 62:31

Notable Quotes & Memorable Moments

• On ASD’s non-response:
  “That's an on background, non attributable, no comment. What even is that?” (Patrick, 08:35)

• On AI replacing help desk workers:
  “Say what you will about LLMs and prompt injection, but at least they will try to follow a semblance of a documented process that's been given to them.” (Matt, 60:35)

• On the never-ending risk of zero days:
  “There really shouldn't be deserialization zero days in it. … Like, no, I shouldn't have got that right.” (Adam, 17:35)

• On the state of Twitter/X:
  “You read post, racist, racist, racist, racist. Oh, interesting paper.” (Patrick, 32:13)

• On ‘infinity midwits’ and GenAI:
  “Gen AI, what has it given us? Infinity midwits. Infinity midwits and a lot more carbon in the atmosphere.” (Patrick, 47:03)

Useful Timestamps

• L3 Trenchant/ASD Incident: 00:48 – 12:00
• WSUS Bug/Exploitation: 12:18 – 18:43
• SpecterOps/Credential Guard: 18:43 – 24:55
• DNS Cache Poisoning Revival: 24:55 – 29:13
• Qilin Ransomware as a Service: 29:13 – 32:03
• Twitter/X and Security Key Migration: 32:03 – 33:41
• SpaceX & Starlink/Crime Compounds: 34:20 – 36:00
• Starlink Security Update: 36:49 – 39:04
• Mentor Labs & Chrome 0-day: 39:04 – 41:41
• NSO/Poland Funds Scandal: 41:41 – 43:46
• HP Updates Delete Certs: 43:46 – 47:03
• Windows SSH Tips: 47:03 – 48:22
• Mob Poker/Cheating via Shufflers: 48:40 – 52:00
• Sponsor Interview: Security AI Automation: 53:54 – 65:33

Conclusion

This episode blends high-profile security intrigue with technical depth—shedding light on how insiders remain a risk even at the “elite” levels, why organizational process/sloppiness worsens technical debt, and how automation—especially AI-powered—is reshaping security operations. As always, the Risky Biz banter delivers clarity and candor for practitioners across the security industry.