Attackers are abusing a WSUS flaw - Microsoft’s Windows Server Update Services - to detonate PowerCat, spawn reverse shells, and plant ShadowPad. All from the update server your entire Windows estate trusts by default.One weak crypto key and a broken deserialization function let attackers hit your WSUS server with unauthenticated SYSTEM-level code execution. Chinese APT groups are already exploiting it to drop malware in memory, blend into legitimate WSUS traffic, and pivot deeper into the network.Yes WSUS patch exists, but even if you patch it today, the real problem remains:Your WSUS server is a high-value target with high-trust pathways - and most environments expose it far more than they think.Watch host Lieuwe Jan Koning - with Blue Team expert Rob Maas and Red Team lead Luca Cipriano - break down how the exploit works, how attackers chain it into real-world intrusions, and the Zero Trust fixes that actually matter.(00:00) - Intro

(01:03) - What is a WSUS server?

(02:48) - The WSUS vulnerability

(05:49) - What is deserialization?

(08:17) - What to do about this vulnerability

(10:52) - How attackers are exploiting it

(18:42) - Real-world harm

(19:16) - Final advice & defense strategy
Key Topics Covered• How one WSUS flaw enables unauthenticated RCE as SYSTEM• The attack chain: crafted payload → deserialization → PowerCat → ShadowPad• Why update servers are high-value pivot points for APT groups• How Chinese APTs weaponized this vulnerability in real-world intrusions• Zero Trust protections: segmentation, egress control, EDR/XDR detection• How to secure Microsoft Windows Server Update Services (WSUS patching best practices)Episodes Mentioned• China Nexus Barracuda Hack: https://www.youtube.com/watch?v=4X9AmBhOmSA• APT Sand Eagle: https://youtu.be/U5qdERmvEwg?si=kdsCJDNkGjs6Lklz• APT 44 / Seashell Blizzard: https://youtu.be/JqA0Irspxrc?si=nnJpz7VnLtz38LN4• APT Handala: https://youtu.be/XYf-SMhQdDc?si=WpIE0h9Q-pokz0MDGuest & Host LinksRob Maas (Field CTO, ON2IT): https://threat-talks.com/the-hosts/Luca Cipriano (CTI & Red Team Lead, ON2IT): https://threat-talks.com/the-hosts/Additional ResourcesThreat Talks: https://threat-talks.com/ON2IT (Zero Trust as a Service): https://on2it.net/AMS-IX: https://www.ams-ix.net/amsSubscribe to Threat Talks and turn on notifications for deep dives into the world’s most active cyber threats and hands-on exploitation techniques.Click here to view the episode transcript.
🔔 Follow and Support our channel! 🔔=== ► YOUTUBE: https://youtube.com/@ThreatTalks► SPOTIFY: https://open.spotify.com/show/1SXUyUEndOeKYREvlAeD7E► APPLE: https://podcasts.apple.com/us/podcast/threat-talks-your-gateway-to-cybersecurity-insights/id1725776520👕 Receive your Threat Talks T-shirthttps://threat-talks.com/🗺️ Explore the Hack's Route in Detail 🗺️https://threat-talks.com🕵️ Threat Talks is a collaboration between @ON2IT and @AMS-IX

Ver todos los episodios