Risky Business

Risky Business returns for 2026! Patrick Gray and Adam Boileau talk through the week’s cybersecurity news, including:

Santa brings hackers MongoDB memory leaks for Christmas

Vercel pays out a million bucks to improve its React2Shell WAF defences

39C3 delivers; the pink Power Ranger deletes nazis, while a catgirl ruins GnuPG

Cambodian scam compound kingpin gets extradited to China, and we don’t think it’ll go well for him

Krebs picks apart the Kimwolf botnet and residential proxy networks

So many healthcare data leaks that we have a roundup section

This week’s episode is sponsored by Airlock Digital. The founders of the application allow-listing vendor, David Cottingham and Daniel Schell, discuss Microsoft’s ClickOnce .NET app packaging, and how attackers have been abusing it to load code. Airlock hates it when you load code!

This episode is also available on Youtube.



Show notes



US, Australia say ‘MongoBleed’ bug being exploited | The Record from Recorded Future News


Merry Christmas Day! Have a MongoDB security incident. | by Kevin Beaumont | Dec, 2025 | DoublePulsar


Inside Vercel’s sleep-deprived race to contain React2Shell | CyberScoop


gpg.fail


Hacktivist deletes white supremacist websites live onstage during hacker conference | TechCrunch


Chinese attackers exploiting zero-day to target Cisco email security products | The Record from Recorded Future News


Ni8mare  -  Unauthenticated Remote Code Execution in n8n (CVE-2026-21858) | Cyera Research Labs


ServiceNow patches critical AI platform flaw that could allow user impersonation | CyberScoop


Alleged cyber scam kingpin arrested, extradited to China | The Record from Recorded Future News


FCC IoT labeling program loses lead company after China probe | Cybersecurity Dive


Trump picks Lt. Gen. Joshua Rudd to lead NSA spy agency - The Washington Post


NSA cyber directorate gets new acting leadership | The Record from Recorded Future News


Dutch court sentences hacker who used port systems to smuggle cocaine to 7 years | The Record from Recorded Future News


ECLI:NL:GHAMS:2026:22, Amsterdam Court of Appeal, 23-003218-22


The Kimwolf Botnet is Stalking Your Local Network – Krebs on Security


Who Benefited from the Aisuru and Kimwolf Botnets? – Krebs on Security


Coupang recovers smashed laptop that alleged data leaker threw into river | The Record from Recorded Future News


Ransomware responders plead guilty to using ALPHV in attacks on US organizations | The Record from Recorded Future News


Nearly 480,000 impacted by Covenant Health data breach | The Record from Recorded Future News


Illinois health department exposed over 700,000 residents' personal data for years | TechCrunch


Tech provider for NHS England confirms data breach | TechCrunch


Hacker claiming to be behind ManageMyHealth breach: ‘I do it for the money and I’m in negotiations to get it’ - NZ Herald

In this special documentary episode, Patrick Gray and Amberleigh Jack take a historical dive into hacking in the 1980s. Through the words of those that were there, they discuss life on the ARPANET, the 414s hacking group, the Morris Worm, the vibe inside the NSA and a parallel hunt for German hackers happening at a similar time to Cliff Stoll’s famous Cuckoo’s Egg story.

This podcast features the memories of:

Jon Callas, former principal software engineer at Digital Equipment Corporation

Mark Rasch, Morris Worm prosecutor

Timothy Winslow, former 414 hacker

Greg Chartrand, author of Cracking the Cuckoos Egg and

Tony Sager, former NSA

How the World Got Owned is produced in partnership with SentinelOne.



Show notes



1988 Federal sentencing guidelines manual


Computer Intruder is put on probation and fined $10,000 | The New York Times


Computer Intruder is found guilty | The New York Times


United States of America, Appellee, v. Robert Tappan Morris, Defendant-appellant, 928 F.2d 504 (2d Cir. 1991)


The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage | Clifford Stoll


Cracking the Cuckoo’s Egg: The Untold Story of tracking and finding Karl Koch aka Hagbard of the Chaos Computer Club | Greg Chartrand


Computer Buffs Tapped NASA Files | The New York Times


Young Computer Bandits Byte off More than They Could Chew | The Washington Post


‘Hacker’ is used by Mainstream Media, September 5, 1983 | EDN


Neal Patrick to testify before congressional committee


Wargames official trailer, 1983


CBS News Segment on Robert Morris Computer Hacker


The Fall of the Berlin Wall | Sky News


I Hacked a Nuclear Facility in the 1980’s. You’re Welcome | CNN

In the final show of 2025, Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

React2Shell attacks continue, surprising no one

The unholy combination of OAuth consent phishing, social engineering and Azure CLI

Venezuela’s state oil firm gets ransomware’d, blames US… but what if it really is a US cyber op?!

Russian junk-hacktivist gets indicted for cybering critical… err… a car wash and a fountain

Microsoft finally turns RC4 off by default in Active Directory Kerberos

Traefik’s TLS verify=on … turns it off, whoopsie 🤡

This week’s episode is sponsored by Sublime Security, makers of an email filtering solution that’s up for dealing with modern problems. Founder and CEO Josh Kamdjou joins to talk about calendar invite phishing, and the extra steps they’ve had to take to reach into people’s calendars and fix the mess.

The Risky Business weekly show is taking holiday break, and will return on 14 January for its twentieth year! Good luck out there, internet friends.

This episode is also available on Youtube.



Show notes



React2Shell attacks expand widely across multiple sectors | Cybersecurity Dive


React issues new patches after security researchers flag additional flaws | Cybersecurity Dive


ConsentFix: Browser-native ClickFix hijacks OAuth grants


Hacking Endpoint to Identity (Microsoft 365): "ConsentFix" - YouTube


Announced pick for No. 2 at NSA won’t get the job as another candidate surfaces | The Record from Recorded Future News


Laura Loomer on X: "EXCLUSIVE: 🚨 White House Official Confirms Ongoing Search for NSA Deputy Director As Tim Kosiba's Deep State And Anti-Trump Ties Raise Red Flags 🚨"


Senior official at Indo-Pacific Command is set to be Trump’s pick to lead Cyber Command, NSA | The Record from Recorded Future News


Trump Administration Turning to Private Firms in Cyber Offensive - Bloomberg


PdV says cyber attacks contained | Latest Market News


Venezuela state oil company blames cyberattack on US after tanker seizure | The Record from Recorded Future News


Office of Public Affairs | Justice Department Announces Actions to Combat Two Russian State-Sponsored Cyber Criminal Hacking Groups | United States Department of Justice


DOJ, CISA warn of Russia-linked attacks targeting meat processing plants, nuclear regulatory entities and other critical infrastructure | The Record from Recorded Future News


vx-underground on X: "The United States government has indicted a state-sponsored Threat Actor named Victoria Eduardovna Dubranova"


vx-underground on X: "I'm actually laughing. One of the compromises is so dumb"


German parliament suffers suspected cyber attack during Zelenskyy’s visit


Während Selenskyj-Besuch: Große Internet-Störung im Bundestag! | Politik | BILD.de


Germany summons Russian ambassador over cyberattack, election disinformation | The Record from Recorded Future News


Russische hackgroep had toegang tot openbare waterfontein in Nederland | de Volkskrant


Most Parked Domains Now Serving Malicious Content – Krebs on Security


PornHub extorted after hackers steal Premium member activity data


Office of Public Affairs | Senior Manager for Government Contractor Charged in Cybersecurity Fraud Scheme | United States Department of Justice


Microsoft will finally kill obsolete cipher that has wreaked decades of havoc - Ars Technica


CVE-2025-66491: Traefik's "Verify=On" Turned TLS Off | AISLE


Dylan O'Donnell 🦋 on X: "This week I was rushed to hospital with a diagnosis of oesophageal cancer."

In this sponsored Soap Box edition of the Risky Business podcast, Patrick Gray chats with Jared Atkinson, CTO of SpecterOps, about BloodHound OpenGraph.

OpenGraph enumerates attack paths across platforms and services, not just your primary directories.

A compromised GitHub account to on-prem AD compromise attack path? It’s a thing, and OpenGraph will find it.

Cross-platform attack path enumeration! So good!

This episode is also available on Youtube.



Show notes

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

There’s a CVSS 10/10 remote code exec in the React javascript server. JS server? U wot mate?

China is out popping shells with it

Linux adds support for PCIe bus encryption

Amnesty International says Intellexa can just TeamViewer into its customers’ surveillance systems

…and a Belgian murder suspect complains that GrapheneOS’s duress wipe feature failed him?

This week’s episode is sponsored by Kroll Cyber. Simon Onyons is Managing Director at Kroll’s Cyber and Data Resilience arm, and he discusses a problem near to many of our hearts. Just how do you explain cyber risk to the board?

This episode is also available on Youtube.



Show notes



Risky Bulletin: APTs go after the React2Shell vulnerability within hours - Risky Business Media


Guillermo Rauch on X: "React2Shell" / X


React2Shell-CVE-2025-55182-original-poc/README.md at main · lachlan2k/React2Shell-CVE-2025-55182-original-poc · GitHub


Hydrogen: Shopify’s headless commerce framework


Researchers track dozens of organizations affected by React2Shell compromises tied to China’s MSS | The Record from Recorded Future News


Unveiling WARP PANDA: A New Sophisticated China-Nexus Adversary


Three hacking groups, two vulnerabilities and all eyes on China | The Record from Recorded Future News


Risky Bulletin: Linux adds PCIe encryption to help secure cloud servers


Sean Plankey nomination to lead CISA appears to be over after Thursday vote | CyberScoop


🕳 on X: "This guy is complaining that GrapheneOS “failed him”. Showing a Belgian 🇧🇪 police request for an interrogation regarding premeditated murder (as a suspect)." / X


Sanctioned spyware maker Intellexa had direct access to government espionage victims, researchers say | TechCrunch


To Catch a Predator: Leak exposes the internal operations of Intellexa’s mercenary spyware - Amnesty International Security Lab


Is ransomware finally on the decline? Treasury data offers cautious hope | CyberScoop


UK cyber agency warns LLMs will always be vulnerable to prompt injection | CyberScoop


In comedy of errors, men accused of wiping gov databases turned to an AI tool - Ars Technica