Risky Business #812: Ex-ASD Trenchant Boss Accused of Selling Exploits to Russia, WSUS Zero-Day Under Active Attack

This week's Risky Business podcast, hosted by Patrick Gray and Adam Boileau, covers a sprawling set of cybersecurity stories, headlined by the accusation that a former Australian Signals Directorate (ASD) employee who later became a boss at L3Harris's Trenchant unit sold exploits to Russia. The case, first reported by TechCrunch, alleges that the individual stole and sold sensitive secrets from the U.S. defense contractor and passed them to a Russian buyer. The accused once worked at the ASD, Australia's signals intelligence agency, adding a layer of insider-threat gravity to the breach. The episode also dives into the technical details of the alleged scheme, which underscores the persistent risk of trusted insiders in national security roles.

Another major story covered is CVE-2025-59287, an unauthenticated remote code execution vulnerability in Microsoft's Windows Server Update Services (WSUS) that is now being actively exploited in the wild. The bug, which affects the deprecated WSUS component, allows attackers to execute arbitrary code without authentication. Researchers at HawkTrace have published detailed analysis and a proof-of-concept, and the exploit is being used in real-world attacks. The vulnerability is particularly dangerous because WSUS is widely deployed in enterprise environments for patch management, and the deprecated status means many organizations may not have applied mitigations. Microsoft has not yet released a patch, leaving administrators to rely on workarounds such as blocking network access to the WSUS service.

The show also revisits a classic attack vector: DNS cache poisoning. Researchers have discovered a new variant of the Dan Kaminsky-style attack, this time enabled by a flawed pseudo-random number generator (PRNG) in two DNS resolving applications. The flaw. The vulnerability allows an attacker to inject malicious DNS records into a resolver's cache, redirecting users to fraudulent sites. The attack is reminiscent of Kaminsky's 2008 discovery, which forced a massive industry-wide fix. The new variant highlights how fundamental cryptographic weaknesses can resurface in modern software, and the researchers have published their findings in Ars Technica.

In a bizarre but impactful incident, an HP OneAgent update inadvertently deleted certificates that authenticated Windows systems to Microsoft Entra ID (formerly Azure Active Directory) on HP AI devices. The update, which was pushed automatically, caused widespread authentication failures, locking users out of their workstations and cloud services. The episode notes that this is a stark reminder of the risks of automated updates and the importance of rigorous testing before deployment. HP has since acknowledged the issue and provided a fix, but the incident caused significant disruption for affected organizations.

Other stories covered include SpaceX disabling over 2,000 Starlink terminals used by scammers in Myanmar, a new report linking the ForumTroll APT group to Dante spyware, and a former Polish official being indicted over spyware purchases. The episode also features an interview with Tines Field CISO Matt Muller from sponsor Tines, discussing how the automation company has embraced LLMs and agentic AI into its workflow automation platform. The full show notes and links to each story are available on the Risky Business website.