Risky Business

In the final show of 2025, Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: React2Shell attacks continue, surprising no one The unholy combination of OAuth consent phishing, social engineering and Azure CLI Venezuela’s state oil firm gets ransomware’d, blames US… but what if it really is a US cyber op?! Russian junk-hacktivist gets indicted for cybering critical… err… a car wash and a fountain Microsoft finally turns RC4 off by default in Active Directory Kerberos Traefik’s TLS verify=on … turns it off, whoopsie 🤡 This week’s episode is sponsored by Sublime Security, makers of an email filtering solution that’s up for dealing with modern problems. Founder and CEO Josh Kamdjou joins to talk about calendar invite phishing, and the extra steps they’ve had to take to reach into people’s calendars and fix the mess. The Risky Business weekly show is taking holiday break, and will return on 14 January for its twentieth year! Good luck out there, internet friends. This episode is also available on Youtube. Show notes React2Shell attacks expand widely across multiple sectors | Cybersecurity Dive React issues new patches after security researchers flag additional flaws | Cybersecurity Dive ConsentFix: Browser-native ClickFix hijacks OAuth grants Hacking Endpoint to Identity (Microsoft 365): "ConsentFix" - YouTube Announced pick for No. 2 at NSA won’t get the job as another candidate surfaces | The Record from Recorded Future News Laura Loomer on X: "EXCLUSIVE: 🚨 White House Official Confirms Ongoing Search for NSA Deputy Director As Tim Kosiba's Deep State And Anti-Trump Ties Raise Red Flags 🚨" Senior official at Indo-Pacific Command is set to be Trump’s pick to lead Cyber Command, NSA | The Record from Recorded Future News Trump Administration Turning to Private Firms in Cyber Offensive - Bloomberg PdV says cyber attacks contained | Latest Market News Venezuela state oil company blames cyberattack on US after tanker seizure | The Record from Recorded Future News Office of Public Affairs | Justice Department Announces Actions to Combat Two Russian State-Sponsored Cyber Criminal Hacking Groups | United States Department of Justice DOJ, CISA warn of Russia-linked attacks targeting meat processing plants, nuclear regulatory entities and other critical infrastructure | The Record from Recorded Future News vx-underground on X: "The United States government has indicted a state-sponsored Threat Actor named Victoria Eduardovna Dubranova" vx-underground on X: "I'm actually laughing. One of the compromises is so dumb" German parliament suffers suspected cyber attack during Zelenskyy’s visit Während Selenskyj-Besuch: Große Internet-Störung im Bundestag! | Politik | BILD.de Germany summons Russian ambassador over cyberattack, election disinformation | The Record from Recorded Future News Russische hackgroep had toegang tot openbare waterfontein in Nederland | de Volkskrant Most Parked Domains Now Serving Malicious Content – Krebs on Security PornHub extorted after hackers steal Premium member activity data Office of Public Affairs | Senior Manager for Government Contractor Charged in Cybersecurity Fraud Scheme | United States Department of Justice Microsoft will finally kill obsolete cipher that has wreaked decades of havoc - Ars Technica CVE-2025-66491: Traefik's "Verify=On" Turned TLS Off | AISLE Dylan O'Donnell 🦋 on X: "This week I was rushed to hospital with a diagnosis of oesophageal cancer."

In this sponsored Soap Box edition of the Risky Business podcast, Patrick Gray chats with Jared Atkinson, CTO of SpecterOps, about BloodHound OpenGraph. OpenGraph enumerates attack paths across platforms and services, not just your primary directories. A compromised GitHub account to on-prem AD compromise attack path? It’s a thing, and OpenGraph will find it. Cross-platform attack path enumeration! So good! This episode is also available on Youtube. Show notes

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: There’s a CVSS 10/10 remote code exec in the React javascript server. JS server? U wot mate? China is out popping shells with it Linux adds support for PCIe bus encryption Amnesty International says Intellexa can just TeamViewer into its customers’ surveillance systems …and a Belgian murder suspect complains that GrapheneOS’s duress wipe feature failed him? This week’s episode is sponsored by Kroll Cyber. Simon Onyons is Managing Director at Kroll’s Cyber and Data Resilience arm, and he discusses a problem near to many of our hearts. Just how do you explain cyber risk to the board? This episode is also available on Youtube. Show notes Risky Bulletin: APTs go after the React2Shell vulnerability within hours - Risky Business Media Guillermo Rauch on X: "React2Shell" / X React2Shell-CVE-2025-55182-original-poc/README.md at main · lachlan2k/React2Shell-CVE-2025-55182-original-poc · GitHub Hydrogen: Shopify’s headless commerce framework Researchers track dozens of organizations affected by React2Shell compromises tied to China’s MSS | The Record from Recorded Future News Unveiling WARP PANDA: A New Sophisticated China-Nexus Adversary Three hacking groups, two vulnerabilities and all eyes on China | The Record from Recorded Future News Risky Bulletin: Linux adds PCIe encryption to help secure cloud servers Sean Plankey nomination to lead CISA appears to be over after Thursday vote | CyberScoop 🕳 on X: "This guy is complaining that GrapheneOS “failed him”. Showing a Belgian 🇧🇪 police request for an interrogation regarding premeditated murder (as a suspect)." / X Sanctioned spyware maker Intellexa had direct access to government espionage victims, researchers say | TechCrunch To Catch a Predator: Leak exposes the internal operations of Intellexa’s mercenary spyware - Amnesty International Security Lab Is ransomware finally on the decline? Treasury data offers cautious hope | CyberScoop UK cyber agency warns LLMs will always be vulnerable to prompt injection | CyberScoop In comedy of errors, men accused of wiping gov databases turned to an AI tool - Ars Technica

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news. It’s a quiet week with Thanksgiving in the US, but there’s always some cyber to talk about: Airbus rolls out software updates after a cosmic ray bitflips an A320 into a dive Krebs tracks down a Scattered Lapsus$ Hunters teen through the usual poor opsec… … as Wired publishes an opsec guide for teens. Microsoft decides its login portal is worth a Content Security Policy South Korean online retailer data breach covers 65% of the country This week’s episode is sponsored by Nebulock. Founder and CEO Damien Lewke joins to talk through their work bringing more SIgma threat detection rules to MacOS. This episode is also available on Youtube. Show notes Airlines race to fix their Airbus planes after warning solar radiation could cause pilots to lose control | CNN Congress calls on Anthropic CEO to testify on Chinese Claude espionage campaign | CyberScoop Post-mortem of Shai-Hulud attack on November 24th, 2025 - PostHog Update: Shai-Hulud and the npm Ecosystem: Why CTEM Must Extend Beyond Your Walls | Armis Glassworm's resurgence | Secure Annex 4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign | Koi Blog Post by @spuxx.bsky.social — Bluesky Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’ – Krebs on Security The WIRED Guide to Digital Opsec for Teens | WIRED Perth hacker Michael Clapsis jailed after setting up fake Qantas Wi-Fi, stealing sex videos - ABC News Ed Conway on X: "The person who first downloaded the OBR's document at 11:35 on Budget day (I'm guessing someone at Reuters, given they first reported it) had already guessed the web address and tried and failed to download it 32 times so far that day(!) https://t.co/6iLm2uEUj2" / X Reuters accused of hack attack | ZDNET The Destruction of a Notorious Myanmar Scam Compound Appears to Have Been ‘Performative’ | WIRED Microsoft tightens cloud login process to prevent common attack | Cybersecurity Dive Fortinet FortiWeb flaws found in unsupported versions of web application firewall | Cybersecurity Dive Cryptomixer platform raided by European police; $29 million in bitcoin seized | The Record from Recorded Future News Officials accuse North Korea’s Lazarus of $30 million theft from crypto exchange | The Record from Recorded Future News Data breach hits 'South Korea's Amazon,' potentially affecting 65% of country’s population | The Record from Recorded Future News NSA Contractor Groomed Teenage Girls On Reddit, DOJ Alleges Nebulock developed coreSigma for MacOS coreSigma repo:

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: Salesforce partner Gainsight has customer data stolen Crowdstrike fires insider who gave hackers screenshots of internal systems Australian Parliament turns off wifi and bluetooth in fear of of visiting Chinese bigwigs Shai-Hulud npm/Github worm is back, and rm -rf’ier than ever SEC gives up on Solarwinds lawsuit Dog eats cryptographer’s key material This week’s episode is sponsored by runZero. HD Moore pops in to talk about how they’re integrating runZero with Bloodhound-style graph databases. He also discusses uses for driving runZero’s tools with an AI, plus the complexities of shipping AI when the company has a variety of deployment models. This episode is also available on Youtube. Show notes Google says hackers stole data from 200 companies following Gainsight breach Gainsight Status Trust Status CrowdStrike fires 'suspicious insider' who passed information to hackers Salesforce cuts off access to third-party app after discovering ‘unusual activity’ Атаки разящей панды: APT31 сегодня Office of Public Affairs | Seven Hackers Associated with Chinese Government Charged with Computer Intrusions Australian federal MPs warned to turn off phones when Chinese delegation visits Parliament House Sha1-Hulud: The Second Coming of the NPM Worm is Digging For Secrets FCC eliminates cybersecurity requirements for telecom companies Trade Associations Cybersecurity Practices Ex Parte SEC voluntarily dismisses SolarWinds lawsuit Record-breaking DDoS attack against Microsoft Azure mitigated The Cloudflare Outage May Be a Security Roadmap – Krebs on Security Critics scoff after Microsoft warns AI feature can infect machines and pilfer data vx-underground on X: "I've had a surprising amount of people ask me about Copilot" Researchers warn command injection flaw in Fortinet FortiWeb is under exploitation Two suspected Scattered Spider hackers plead not guilty over Transport for London cyberattack Russia arrests young cybersecurity entrepreneur on treason charges This campaign aims to tackle persistent security myths in favor of better advice Oops. Cryptographers cancel election results after losing decryption key. Uncovering network attack paths with runZeroHound Model Context Protocol