app_store_button

google_play_button

is Device Banner Block 894x1036

Stígðu inn í heim af óteljandi sögum

Hlustaðu og lestu

Patrick Gray

Risky Business is a weekly information security podcast featuring news and in-depth interviews with industry luminaries. Launched in February 2007, Risky Business is a must-listen digest for information security pros. With a running time of approximately 50-60 minutes, Risky Business is pacy; a security podcast without the waffle.

Risky Business

In the final show of 2025, Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

 • React2Shell attacks continue, surprising no one

 • The unholy combination of OAuth consent phishing, social engineering and Azure CLI

 • Venezuela’s state oil firm gets ransomware’d, blames US… but what if it really is a US cyber op?!

 • Russian junk-hacktivist gets indicted for cybering critical… err… a car wash and a fountain

 • Microsoft finally turns RC4 off by default in Active Directory Kerberos

 • Traefik’s TLS verify=on … turns it off, whoopsie 🤡

This week’s episode is sponsored by Sublime Security, makers of an email filtering solution that’s up for dealing with modern problems. Founder and CEO Josh Kamdjou joins to talk about calendar invite phishing, and the extra steps they’ve had to take to reach into people’s calendars and fix the mess.

The Risky Business weekly show is taking holiday break, and will return on 14 January for its twentieth year! Good luck out there, internet friends.

This episode is also available on Youtube.

 
 
 Show notes
 
 
 React2Shell attacks expand widely across multiple sectors | Cybersecurity Dive
 
 React issues new patches after security researchers flag additional flaws | Cybersecurity Dive
 
 ConsentFix: Browser-native ClickFix hijacks OAuth grants
 
 Hacking Endpoint to Identity (Microsoft 365): "ConsentFix" - YouTube
 
 Announced pick for No. 2 at NSA won’t get the job as another candidate surfaces | The Record from Recorded Future News
 
 Laura Loomer on X: "EXCLUSIVE: 🚨 White House Official Confirms Ongoing Search for NSA Deputy Director As Tim Kosiba's Deep State And Anti-Trump Ties Raise Red Flags 🚨"
 
 Senior official at Indo-Pacific Command is set to be Trump’s pick to lead Cyber Command, NSA | The Record from Recorded Future News
 
 Trump Administration Turning to Private Firms in Cyber Offensive - Bloomberg
 
 PdV says cyber attacks contained | Latest Market News
 
 Venezuela state oil company blames cyberattack on US after tanker seizure | The Record from Recorded Future News
 
 Office of Public Affairs | Justice Department Announces Actions to Combat Two Russian State-Sponsored Cyber Criminal Hacking Groups | United States Department of Justice
 
 DOJ, CISA warn of Russia-linked attacks targeting meat processing plants, nuclear regulatory entities and other critical infrastructure | The Record from Recorded Future News
 
 vx-underground on X: "The United States government has indicted a state-sponsored Threat Actor named Victoria Eduardovna Dubranova"
 
 vx-underground on X: "I'm actually laughing. One of the compromises is so dumb"
 
 German parliament suffers suspected cyber attack during Zelenskyy’s visit
 
 Während Selenskyj-Besuch: Große Internet-Störung im Bundestag! | Politik | BILD.de
 
 Germany summons Russian ambassador over cyberattack, election disinformation | The Record from Recorded Future News
 
 Russische hackgroep had toegang tot openbare waterfontein in Nederland | de Volkskrant
 
 Most Parked Domains Now Serving Malicious Content – Krebs on Security
 
 PornHub extorted after hackers steal Premium member activity data
 
 Office of Public Affairs | Senior Manager for Government Contractor Charged in Cybersecurity Fraud Scheme | United States Department of Justice
 
 Microsoft will finally kill obsolete cipher that has wreaked decades of havoc - Ars Technica
 
 CVE-2025-66491: Traefik's "Verify=On" Turned TLS Off | AISLE
 
 Dylan O'Donnell 🦋 on X: "This week I was rushed to hospital with a diagnosis of oesophageal cancer."

Risky Business #819 -- Venezuela (credibly?!) blames USA for wiper attack

In this sponsored Soap Box edition of the Risky Business podcast, Patrick Gray chats with Jared Atkinson, CTO of SpecterOps, about BloodHound OpenGraph.

OpenGraph enumerates attack paths across platforms and services, not just your primary directories.

A compromised GitHub account to on-prem AD compromise attack path? It’s a thing, and OpenGraph will find it.

Cross-platform attack path enumeration! So good!

This episode is also available on Youtube.

 
 
 Show notes

Risky Biz Soap Box: Graph the planet!

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

 • There’s a CVSS 10/10 remote code exec in the React javascript server. JS server? U wot mate?

 • China is out popping shells with it

 • Linux adds support for PCIe bus encryption

 • Amnesty International says Intellexa can just TeamViewer into its customers’ surveillance systems

 • …and a Belgian murder suspect complains that GrapheneOS’s duress wipe feature failed him?

This week’s episode is sponsored by Kroll Cyber. Simon Onyons is Managing Director at Kroll’s Cyber and Data Resilience arm, and he discusses a problem near to many of our hearts. Just how do you explain cyber risk to the board?

This episode is also available on Youtube.

 
 
 Show notes
 
 
 Risky Bulletin: APTs go after the React2Shell vulnerability within hours - Risky Business Media
 
 Guillermo Rauch on X: "React2Shell" / X
 
 React2Shell-CVE-2025-55182-original-poc/README.md at main · lachlan2k/React2Shell-CVE-2025-55182-original-poc · GitHub
 
 Hydrogen: Shopify’s headless commerce framework
 
 Researchers track dozens of organizations affected by React2Shell compromises tied to China’s MSS | The Record from Recorded Future News
 
 Unveiling WARP PANDA: A New Sophisticated China-Nexus Adversary
 
 Three hacking groups, two vulnerabilities and all eyes on China | The Record from Recorded Future News
 
 Risky Bulletin: Linux adds PCIe encryption to help secure cloud servers
 
 Sean Plankey nomination to lead CISA appears to be over after Thursday vote | CyberScoop
 
 🕳 on X: "This guy is complaining that GrapheneOS “failed him”. Showing a Belgian 🇧🇪 police request for an interrogation regarding premeditated murder (as a suspect)." / X
 
 Sanctioned spyware maker Intellexa had direct access to government espionage victims, researchers say | TechCrunch
 
 To Catch a Predator: Leak exposes the internal operations of Intellexa’s mercenary spyware - Amnesty International Security Lab
 
 Is ransomware finally on the decline? Treasury data offers cautious hope | CyberScoop
 
 UK cyber agency warns LLMs will always be vulnerable to prompt injection | CyberScoop
 
 In comedy of errors, men accused of wiping gov databases turned to an AI tool - Ars Technica

Risky Business #818 -- React2Shell is a fun one

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news. It’s a quiet week with Thanksgiving in the US, but there’s always some cyber to talk about:

 • Airbus rolls out software updates after a cosmic ray bitflips an A320 into a dive

 • Krebs tracks down a Scattered Lapsus$ Hunters teen through the usual poor opsec…

 • … as Wired publishes an opsec guide for teens.

 • Microsoft decides its login portal is worth a Content Security Policy

 • South Korean online retailer data breach covers 65% of the country

This week’s episode is sponsored by Nebulock. Founder and CEO Damien Lewke joins to talk through their work bringing more SIgma threat detection rules to MacOS.

This episode is also available on Youtube.

 
 
 Show notes
 
 
 Airlines race to fix their Airbus planes after warning solar radiation could cause pilots to lose control | CNN
 
 Congress calls on Anthropic CEO to testify on Chinese Claude espionage campaign | CyberScoop
 
 Post-mortem of Shai-Hulud attack on November 24th, 2025 - PostHog
 
 Update: Shai-Hulud and the npm Ecosystem: Why CTEM Must Extend Beyond Your Walls | Armis
 
 Glassworm's resurgence | Secure Annex
 
 4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign | Koi Blog
 
 Post by @spuxx.bsky.social — Bluesky
 
 Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’ – Krebs on Security
 
 The WIRED Guide to Digital Opsec for Teens | WIRED
 
 Perth hacker Michael Clapsis jailed after setting up fake Qantas Wi-Fi, stealing sex videos - ABC News
 
 Ed Conway on X: "The person who first downloaded the OBR's document at 11:35 on Budget day (I'm guessing someone at Reuters, given they first reported it) had already guessed the web address and tried and failed to download it 32 times so far that day(!) https://t.co/6iLm2uEUj2" / X
 
 Reuters accused of hack attack | ZDNET
 
 The Destruction of a Notorious Myanmar Scam Compound Appears to Have Been ‘Performative’ | WIRED
 
 Microsoft tightens cloud login process to prevent common attack | Cybersecurity Dive
 
 Fortinet FortiWeb flaws found in unsupported versions of web application firewall | Cybersecurity Dive
 
 Cryptomixer platform raided by European police; $29 million in bitcoin seized | The Record from Recorded Future News
 
 Officials accuse North Korea’s Lazarus of $30 million theft from crypto exchange | The Record from Recorded Future News
 
 Data breach hits 'South Korea's Amazon,' potentially affecting 65% of country’s population | The Record from Recorded Future News
 
 NSA Contractor Groomed Teenage Girls On Reddit, DOJ Alleges
 
 Nebulock developed coreSigma for MacOS
 
 coreSigma repo:

Risky Business #817 -- Less carnage than your usual Thanksgiving

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

 • Salesforce partner Gainsight has customer data stolen

 • Crowdstrike fires insider who gave hackers screenshots of internal systems

 • Australian Parliament turns off wifi and bluetooth in fear of of visiting Chinese bigwigs

 • Shai-Hulud npm/Github worm is back, and rm -rf’ier than ever

 • SEC gives up on Solarwinds lawsuit

 • Dog eats cryptographer’s key material

This week’s episode is sponsored by runZero. HD Moore pops in to talk about how they’re integrating runZero with Bloodhound-style graph databases. He also discusses uses for driving runZero’s tools with an AI, plus the complexities of shipping AI when the company has a variety of deployment models.

This episode is also available on Youtube.

 
 
 Show notes
 
 
 Google says hackers stole data from 200 companies following Gainsight breach
 
 Gainsight Status
 
 Trust Status
 
 CrowdStrike fires 'suspicious insider' who passed information to hackers
 
 Salesforce cuts off access to third-party app after discovering ‘unusual activity’
 
 Атаки разящей панды: APT31 сегодня
 
 Office of Public Affairs | Seven Hackers Associated with Chinese Government Charged with Computer Intrusions 
 
 Australian federal MPs warned to turn off phones when Chinese delegation visits Parliament House
 
 Sha1-Hulud: The Second Coming of the NPM Worm is Digging For Secrets
 
 FCC eliminates cybersecurity requirements for telecom companies
 
 Trade Associations Cybersecurity Practices Ex Parte
 
 SEC voluntarily dismisses SolarWinds lawsuit
 
 Record-breaking DDoS attack against Microsoft Azure mitigated
 
 The Cloudflare Outage May Be a Security Roadmap – Krebs on Security
 
 Critics scoff after Microsoft warns AI feature can infect machines and pilfer data
 
 vx-underground on X: "I've had a surprising amount of people ask me about Copilot"
 
 Researchers warn command injection flaw in Fortinet FortiWeb is under exploitation
 
 Two suspected Scattered Spider hackers plead not guilty over Transport for London cyberattack
 
 Russia arrests young cybersecurity entrepreneur on treason charges
 
 This campaign aims to tackle persistent security myths in favor of better advice
 
 Oops. Cryptographers cancel election results after losing decryption key.
 
 Uncovering network attack paths with runZeroHound
 
 Model Context Protocol

Risky Business #816 -- Copilot Actions for Windows is extremely dicey

In this sponsored Soap Box edition of the podcast, Andrew Morris joins Patrick Gray to talk about how Greynoise can often get a 90 day heads up on serious vulnerabilities. Whether it’s malicious actors doing reconnaissance or the affected vendors trying to understand the scope of the problem, it seems that mass scanning activity lines up pretty nicely with typical 90-day disclosure timelines.

A fascinating chat with Andrew, as always.

This episode is also available on Youtube.

 
 
 Show notes

Risky Biz Soap Box: Greynoise knows when bad bugs are coming

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

 • Anthropic says a Chinese APT orchestrated attacks using its AI

 • It’s a day ending in -y, so of course there are shamefully bad Fortinet exploits in the wild

 • Turns out slashing CISA was a bad idea, now it’s time for a hiring spree

 • Researchers brute force entire phone number space against Whatsapp contact discovery API

 • DOJ figures out how to make SpaceX turn off scam compounds’ Starlink service

This week’s episode is sponsored by Mastercard. Senior Vice President of Mastercard Cybersecurity Urooj Burney joins to talk about how the roles of fraud and cyber teams in the financial sector are starting to converge. Mastercard also recently acquired Recorded Future, and Urooj talks about how they aim to integrate cyber threat intelligence into the financial world.

This episode is also available on Youtube.

 
 
 Show notes
 
 
 Full report: Disrupting the first reported AI-orchestrated cyber espionage campaign
 
 Researchers question Anthropic claim that AI-assisted attack was 90% autonomous - Ars Technica
 
 China’s ‘autonomous’ AI-powered hacking campaign still required a ton of human work | CyberScoop
 
 Amazon discovers APT exploiting Cisco and Citrix zero-days | AWS Security Blog
 
 CISA gives federal agencies one week to patch exploited Fortinet bug | The Record from Recorded Future News
 
 PSIRT | FortiGuard Labs
 
 CISA, eyeing China, plans hiring spree to rebuild its depleted ranks | Cybersecurity Dive
 
 This Is the Platform Google Claims Is Behind a 'Staggering’ Scam Text Operation | WIRED
 
 A Simple WhatsApp Security Flaw Exposed 3.5 Billion Phone Numbers | WIRED
 
 DOJ Issued Seizure Warrant to Starlink Over Satellite Internet Systems Used at Scam Compound | WIRED
 
 Multiple US citizens plead guilty to helping North Korean IT workers earn $2 million | The Record from Recorded Future News
 
 Cyberattack leaves Jaguar Land Rover short of £680 million | The Record from Recorded Future News
 
 FBI: Akira gang has received nearly $250 million in ransoms | The Record from Recorded Future News
 
 Operation Endgame: Police reveal takedowns of three key cybercrime tools | The Record from Recorded Future News
 
 Inside a Wild Bitcoin Heist: Five-Star Hotels, Cash-Stuffed Envelopes, and Vanishing Funds | WIRED

Risky Business #815 -- Anthropic's AI APT report is a big deal

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

 • The KK Park scam compound in Myanmar gets blasted with actual dynamite

 • China sentences more scammers TO DEATH

 • While Singapore is opting to lash them with the cane

 • Chinese security firm KnownSec leaks a bunch of documents

 • Necromancy continues on NSO Group, with a Trump associate in charge

 • OWASP freshens up the Top 10, you won’t believe what’s number three!

This week’s episode is sponsored by Thinkst Canary. Big bird Haroon Meer joins and, as usual, makes a good point. If you’re going to trust a vendor to do something risky like put a box on your network, they have an obligation to explain how they make that safe. Thinkst has a /security page that does exactly that. So why do we let Palo Alto and Fortinet get away with “trust me, bro”?

This episode is also available on Youtube.

 
 
 Show notes
 
 
 Myanmar Junta Dynamites Scam Hub in PR Move as Global Pressure Grows
 
 China sentences 5 Myanmar scam kingpins to death | The Record from Recorded Future News
 
 Law passed for scammers, mules to be caned after victims in Singapore lose almost $4b since 2020 | The Straits Times
 
 KnownSec breach: What we know so far. - NetAskari
 
 Risky Bulletin: Another Chinese security firm has its data leaked
 
 Inside Congress Live
 
 The Government Shutdown Is a Ticking Cybersecurity Time Bomb | WIRED
 
 Former Trump official named NSO Group executive chairman | The Record from Recorded Future News
 
 Short-term renewal of cyber information sharing law appears in bill to end shutdown | The Record from Recorded Future News
 
 Jaguar Land Rover hack hurt the U.K.'s GDP, Bank of England says
 
 Monetary Policy Report - November 2025 | Bank of England
 
 SonicWall says state-linked actor behind attacks against cloud backup service | Cybersecurity Dive
 
 Japanese media giant Nikkei reports Slack breach exposing employee and partner records | The Record from Recorded Future News
 
 "Intel sues former employee for allegedly stealing confidential data" Post by @campuscodi.risky.biz — Bluesky
 
 Introduction - OWASP Top 10:2025 RC1

Risky Business #814 -- It's a bad time to be a scam compound operator

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

 • We love some good vulnerability reporting drama, this time FFmpeg’s got beef with Google

 • OpenAI announces its Aardvark bug-gobbling system

 • Two US ransomware responders get arrested for… ransomware

 • Memento (nee HackingTeam) CEO says: Sì, those are totally our tools getting snapped in Russia

 • Hackers help freight theft gangs steal shipments to resell

 • A second Jabber Zeus mastermind gets his comeuppance 15 years on

This week’s episode is sponsored by Nucleus Security, who make a vulnerability information management system. Co-founder Scott Kuffer says that approaches for triaging vulnerabilities have started to fall apart, given there are just. So. Many. And they’re all important!

This episode is also available on Youtube.

 
 
 Show notes
 
 
 vx-underground on X: "Yeah, so pretty much this entire drama thing is FFmpeg are a bunch of nerds…"
 
 FFmpeg on X: "@DavidEGrayson It's someone's hobby project of an obscure 1990s decoder…"
 
 Halvar Flake on X: "Given the extremely big role ffmpeg has played historically..."
 
 thaddeus e. grugq on X: "Current drama: Plucky security researcher Google takes on volunteer open source behemoth FFmpeg."
 
 Robert Graham on X: "Current status: There's a conflict between Google…"
 
 Introducing Aardvark: OpenAI’s agentic security researcher | OpenAI
 
 Bugcrowd acquires Mayhem Security to advance AI-powered security testing | CyberScoop
 
 Prosecutors allege incident response pros used ALPHV/BlackCat to commit string of ransomware attacks | CyberScoop
 
 Former Trenchant Exec Sold Stolen Code to Russian Buyer Even After Learning that Other Code He Sold Was Being "Utilized" by Different Broker in South Korea
 
 How an ex-L3Harris Trenchant boss stole and sold cyber exploits to Russia | TechCrunch
 
 Operation Zero — A Zero-Day Vulnerability Platform
 
 John Scott-Railton on X: "7/ There's a push to scale up America's offensive industry right now…"
 
 CEO of spyware maker Memento Labs confirms one of its government customers was caught using its malware | TechCrunch
 
 Exploiting Microsoft Teams: Impersonation and Spoofing Vulnerabilities Exposed Microsoft Teams Vulnerabilities Uncovered
 
 Cargo theft gets a boost from hackers using remote monitoring tools | The Record from Recorded Future News
 
 Remote access, real cargo: cybercriminals targeting trucking and logistics | Proofpoint US
 
 Alleged Conti ransomware gang affiliate appears in Tennessee court after Ireland extradition | The Record from Recorded Future News
 
 Three suspected developers of Meduza Stealer malware arrested in Russia | The Record from Recorded Future News
 
 Alleged Jabber Zeus Coder ‘MrICQ’ in U.S. Custody – Krebs on Security
 
 Windows Server Update Service exploitation ensnares at least 50 victims | Cybersecurity Dive
 
 Post by @paulschnack.bsky.social — Bluesky

Risky Business #813 -- FFmpeg has a point

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

 • L3Harris Trenchant boss accused of selling exploits to Russia once worked at the Australian Signals Directorate

 • Microsoft WSUS bug being exploited in the wild

 • Dan Kaminsky DNS cache poisoning comes back because of a bad PRNG

 • SpaceX finally starts disabling Starlink terminals used by scammers

 • Garbage HP update deletes certificates that authed Windows systems to Entra

This week’s episode is sponsored by automation company Tines. Field CISO Matt Muller joins to discuss how Tines has embraced LLMs and the agentic-AI future into their workflow automation.

This episode is also available on Youtube.

 
 
 Show notes
 
 
 US accuses former L3Harris cyber boss of stealing and selling secrets to Russian buyer | TechCrunch
 
 Attackers bypass patch in deprecated Windows Server update tool | CyberScoop
 
 CVE-2025-59287 WSUS Unauthenticated RCE | HawkTrace
 
 CVE-2025-59287 WSUS Remote Code Execution | HawkTrace
 
 Catching Credential Guard Off Guard - SpecterOps
 
 Cache poisoning vulnerabilities found in 2 DNS resolving apps - Ars Technica
 
 Uncovering Qilin attack methods exposed through multiple cases
 
 Safety on X: "By November 10, we’re asking all accounts that use a security key as their two factor authentication (2FA) method to re-enroll their key to continue accessing X. You can re-enroll your existing security key, or enroll a new one. A reminder: if you enroll a new security key, any" / X
 
 SpaceX disables more than 2,000 Starlink devices used in Myanmar scam compounds | The Record from Recorded Future News
 
 SpaceX: Update Your Inactive Starlink Dishes Now or They'll Be Bricked
 
 How we linked ForumTroll APT to Dante spyware by Memento Labs | Securelist
 
 Former Polish official indicted over spyware purchase | The Record from Recorded Future News
 
 HP OneAgent Update Broke Entra Trust on HP AI Devices
 
 Windows' Built-in OpenSSH for Offensive Security
 
 How Hacked Card Shufflers Allegedly Enabled a Mob-Fueled Poker Scam That Rocked the NBA | WIRED

Risky Business #812 -- Alleged Trenchant exploit mole is ex-ASD

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

 • SEC fines tech firms for downplaying the Solarwinds hacks

 • Anonymous Sudan still looks and quacks like a Russian duck

 • Apple proposes max 10 day TLS certificate life

 • Oopsie! Microsoft loses a bunch of cloud logs

 • Veeam and Fortinet are bad and should feel bad

 • North Koreans are good (at hacking)

 • And much, much more.

This week’s episode is sponsored by Proofpoint. Chief Strategy Officer Ryan Kalember joins to talk about their work keeping up with prolific threat actor SocGholish.

This episode is also available on Youtube.

 
 
 Show notes
 
 
 Four cyber companies fined for SolarWinds disclosure failures
 
 U.S. charges Sudanese men with running powerful cyberattack-for-hire gang
 
 Hacker Charged With Seeking to Kill Using Cyberattacks on Hospitals | WIRED
 
 Risky Biz News: Anonymous Sudan's Russia Links Are (Still) Obvious
 
 Microsoft confirms partial loss of security log data on multiple platforms | Cybersecurity Dive
 
 Risky Biz News: Apple wants to reduce the lifespan of TLS certificates to 10 days
 
 Encrypted Chat App ‘Session’ Leaves Australia After Visit From Police
 
 Crypto platform Radiant Capital says $50 million in digital coins stolen following account compromises
 
 North Korean hackers use newly discovered Linux malware to raid ATMs - Ars Technica
 
 Brazil Arrests ‘USDoD,’ Hacker in FBI Infragard Breach – Krebs on Security
 
 Here’s how SIM swap in alleged bitcoin pump-and-dump scheme worked - Ars Technica
 
 Critical Veeam CVE actively exploited in ransomware attacks | Cybersecurity Dive
 
 FortiGate admins report active exploitation 0-day. Vendor isn’t talking. - Ars Technica
 
 Hackers reportedly impersonate cyber firm ESET to target organizations in Israel
 
 The latest in North Korea’s fake IT worker scheme: Extorting the employers

Risky Business #767 – SEC fines Check Point, Mimecast, Avaya and Unisys over hacks

Hlustaðu og lestu

Other podcasts you might like ...