Risky Business #821 – Wiz Researchers Could Have Owned Every AWS Customer

Date: January 21, 2026
Host: Patrick Gray
Guests: Adam Boileau, Joe Tidy (BBC World Service cybersecurity correspondent)
Episode Theme:
A lively, deeply technical discussion of this week’s hottest security news with special focus on cloud-scale vulnerabilities, AI-written malware, and changing hacker culture. The headline story is Wiz’s discovery of a supply chain vulnerability in AWS that could have compromised every AWS customer.

Episode Overview

This week, Patrick Gray is joined by regular analyst Adam Boileau and, for the first time, BBC cybersecurity correspondent Joe Tidy. They cover a blockbuster Wiz finding that exposed all AWS customers to compromise, wild tales of modern malware partly written by AI, political drama impacting cybersecurity events, and dive deep into the cultural history behind some of the world’s most infamous and sociopathic cybercriminals.

Key Discussion Points & Insights

1. Political Cyber Wars: Venezuela Raid & Propaganda

• Main Topic: Speculation around a covert US raid in Venezuela, conflicting reports on the use of cyber sabotage and information warfare.
• Highlights:
  • New York Times published a vague expose causing much speculation.
  • US/Trump administration claims of "turning off the lights" in Caracas sparked cyber rumors.
  • Propaganda is muddying the waters, making facts elusive.

“Cyber is a piece of that puzzle... Even if the extent to which they are using in any particular case, we're never going to know until years after when someone writes a tell-all book.” – Adam Boileau [05:11]

Timestamps:
[00:31] – Patrick’s intro and episode rundown
[03:00] – Joe Tidy on the difficulty of verifying Venezuelan cyber claims
[05:11] – Adam Boileau on cyber’s real place in modern ops

2. US Government Bans Staff from RSAC Due to Jen Easterly’s Appointment

• Main Topic: The politicization of the cybersecurity conference scene due to former CISA director Jen Easterly being appointed CEO of RSAC.
• Insights:
  • Right-wing activism results in federal employees considering (or being instructed) to boycott RSAC.
  • Broader impact: big-name infosec events lose official government involvement.

“It's kind of petulant and vindictive and, you know, exactly what we expect, unfortunately, from the Trump administration...” – Adam Boileau [11:04]

Timestamps:
[10:05] – Patrick on RSAC politicization
[11:04] – Adam's candid take

3. CISA and Patch Management Drama: The Infoleak Vulnerability

• Main Topic: CISA tells agencies to patch a relatively “low severity” Windows memory leak—a sign of changing priorities.
• Details:
  • Vulnerability in Windows Desktop Window Manager (CVSS 5.5) actively exploited.
  • Patch introduced a new problem: Windows 11 systems can’t shut down!

“It's not often we get to give CISA an attaboy, you know, in the recent times. So I felt like it was good to call them out for doing something nice.” – Adam Boileau [13:05]

Timestamps:
[12:27] – Adam's rundown of the bug
[14:12] – Patch brings shutdown issues

4. Wiz’s AWS Code Build Flaw: “We Could Have Owned Every AWS Customer”

• Main Topic: Researchers at Wiz discovered a near internet-ending flaw with AWS CodeBuild’s GitHub integration.
• How the Exploit Worked:
  • AWS’s JavaScript SDK repo had a user allow-list implemented as a regex, not boundary-anchored.
  • Cleverly crafted GitHub IDs could slip through and trigger privileged code builds.
  • Wiz automated creation of GitHub accounts to “win the race,” then responsibly reported to Amazon before doing any harm.

“Someone at Wiz was sitting around... and said hey guys, did you know that I now have admin access to every AWS environment on the planet? ...This is some... Chef Kiss, beautiful cloud hack and research...” – Adam Boileau [15:19]

• Potential Impact:
  • Attackers could conceivably alter core AWS console code, affecting all AWS customers.
  • Even if AWS is monitoring production code, a sophisticated attacker could do immense harm quickly.

“If China or Russia or anyone else had done this... everybody's Amazon environments, boom.” – Adam Boileau [17:33]

Timestamps:
[15:19] – Adam explains the bug
[19:36] – Hats off to Wiz for not “hacking the planet”
[20:25] – What could an attacker have done?

5. AI-Generated Malware: Voidlink and the Future of Automated Crime

• Main Topic: Linux rootkit “Voidlink” possibly generated/programmed largely by AI, detailed by Checkpoint Labs.
• Details:
  • Competently modular Linux malware, designed for container/cloud environments.
  • Forensic evidence suggests it was built via AI agents, with a human overseeing and orchestrating.
  • Reported breathlessly, but research shows it's increasingly plausible for threat actors to automate significant portions of malware development.

“So the AI side of it is interesting because Checkpoint started tracking this, saw interesting new malware, and then they found this documentation which is structured like it's being written by a team of actual people describing sprints and features and documentation, standards and so on.” – Adam Boileau [24:11]

Timestamps:
[22:24] – Adam expounds on Voidlink malware
[25:09] – AI’s role and Checkpoint’s methodology
[26:10] – Joe Tidy on covering AI cyber stories for mainstream audiences

6. Fast Pair Bluetooth Vulnerability (Google)

• Main Topic: Weakness in Android's Fast Pair allows unauthorized connections, device tracking, and privacy compromise.
• Takeaways:
  • Thousands of headphones/devices affected by an unpatched bug.
  • Many users are unlikely to update firmware, leaving a long tail of vulnerable gadgets.
• Quote:

“It's the sort of of just dumb bug that you would expect an ecosystem that has a specification, reference, implementation and device ... review process by the manufacturer. Ought to have caught something this dumb.” – Adam Boileau [32:43]

Timestamps:
[30:24] – Adam on vulnerability details

7. Vulnerabilities & Exploits Roundup

• Fortinet SIEM (FortiSIEM): Yet another exploit in a long line of command injection bugs — vendor’s patch quality under fire.

  “...the bugs in FortiSIEM have all been basically the same bug, but just like one function over...” – Adam Boileau [33:05]

• Copilot Prompt Injection: A new prompt injection attack bypasses protections by repeating requests, keeping the exploit alive in the cloud even after closing tabs.

  “...not the case because yay cloud future. Woo.” – Adam Boileau [35:41]

• GNU telnetd (inetutils): Unpatched bug allows logging in as root, inheriting a legacy UNIX vulnerability.

  “It’s a good day to be an old UNIX nerd right here.” – Adam Boileau [40:16]

8. Law Enforcement Wins (and Their Limited Impact)

• BlackBuster Arrests: Ukrainian and German authorities arrest ransomware criminals, but such actions rarely disrupt the overall cybercrime ecosystem.

  “We see these arrests and they are quite frequent but it doesn’t seem to move the dial that much on what happens... These gangs are still there.” – Joe Tidy [36:32]

• Initial Access Broker from Georgia: US successfully extradites and charges a major access broker.

9. The Changing Culture of Teenage Hackers: Discussion and Book Spotlight

Special Segment:
Joe Tidy discusses his new book, “Control Alt Chaos: How Teenage Hackers Hijack the Internet,” which chronicles the descent of infamous Finnish hacker Julius Kivimaki ("ZKill") from gaming troll to the perpetrator of the Vestamo blackmail.

• Key Insights:
  • Teenage cybercrime has grown more sociopathic, moving from pranks and bravado (e.g., LulzSec) to full-blown, amoral extortion and psychological harm (e.g., Vestamo).
  • The “centers of gravity” in hacker communities often lack empathy and escalate attacks without moral boundaries.
  • The rise of Twitter, cryptocurrency, and groupchat platforms supercharged the reach, audacity, and monetization of young hackers.

“Cybercrime is a team sport, as we know... they're joining up all over the world and they're coming together to carry out attacks.” – Joe Tidy [51:07]

• Three drivers of the culture shift:
  1. Twitter/infamy incentives
  2. Cryptocurrency/monetization
  3. Group chat/instantaneous teamwork

“...the rise of live video, voice and text chats, irc, Skype. Now we've got telegram and Discord... You can quickly spin up an idea for a hack and go after it.” – Joe Tidy [51:07]

Timestamps:
[40:16] – Book intro and Vestamo hack background
[42:54] – ZKill's unique sociopathy
[49:54] – Adam and Patrick on role of crypto and Twitter
[51:17] – Joe Tidy’s “three theories”

Notable Quotes & Memorable Moments

• On AWS/Wiz flaw:

  “This is like Internet scale, amazing, beautiful hacking. And hats off the Wiz for pulling this one together and actually... going ahead and doing just stopping at ‘We found the regex’ ... No, she went ahead and did it.” – Adam Boileau [19:08]

• On hacker culture shift:

  “It’s a community that pushes the sociopaths to the top.” – Adam Boileau [46:14]

• On AI-generated malware:

  “The actual progress of the malware in terms of time is faster than these documents suggest and perhaps faster than the humans involved would be doing. Perhaps it's not actually humans doing it.” – Adam Boileau [24:11]

• On patch quality:

  “...the bugs in FortiSIEM have all been basically the same bug, but just like one function over or... They fixed the first order one and then someone found a way past and so on. So this is command injection flaw unauthed...” – Adam Boileau [33:05]

• On changing roles of cyber in politics and war:

  “Even if the extent to which they are using in any particular case, we're never going to know until years after when someone writes a tell-all book.” – Adam Boileau [05:11]

Sponsor Interview: Breadcrumbs and Deceptive Defense (with Harun Mir, Thinkst Canary)

(Starts ~53:26)

• Main Concept: Breadcrumbs are decoy authentication artifacts (like SSH keys or config files) sprinkled across systems to lure attackers to monitored honeypots.
• Technical Insights:
  • API-driven, easily scripted deployments
  • Attribution can now tie “breadcrumbs” to specific compromised hosts
• Business Moves:
  • Thingst acquired UK-based Deceptic for its token/deception tech and talent
  • Thingst rescued and now runs the South African Computer Olympiad as a nonprofit

Conclusion

Risky Business #821 covers a characteristically wide range: geopolitical cyber drama, breathtaking infosec research, technical breakdowns, and the deeper human/cultural story behind hacking's moral evolution. This episode will be invaluable for anyone looking to understand what’s at stake in both technical and social aspects of information security.

Episode Timestamps (Key Segments)

• [00:31] – Intros & show rundown
• [03:00] – Venezuela cyber ops debate
• [10:05] – Jen Easterly / RSAC government ban
• [12:27] – Windows DWM infoleak & patch fallout
• [15:19] – Wiz’s AWS “internet-ending” bug
• [22:24] – AI-coded malware & journalistic nuance
• [30:24] – Android Fast Pair Bluetooth bug
• [33:05] – Fortinet SIEM exploit
• [35:41] – Copilot prompt injection
• [36:32] – Law enforcement roundup
• [40:16] – Book: Control Alt Chaos; underworld culture shift
• [53:26] – Sponsor interview: Breadcrumbs, Deceptic acquisition, SA Computer Olympiad rescue

Summary prepared true to the original spirit and technical detail of the Risky Business podcast. For infosec pros and the curious public alike.