In the final show of 2025, Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

• React2Shell attacks continue, surprising no one
• The unholy combination of OAuth consent phishing, social engineering and Azure CLI
• Venezuela’s state oil firm gets ransomware’d, blames US… but what if it really is a US cyber op?!
• Russian junk-hacktivist gets indicted for cybering critical… err… a car wash and a fountain
• Microsoft finally turns RC4 off by default in Active Directory Kerberos
• Traefik’s TLS verify=on … turns it off, whoopsie 🤡

This week’s episode is sponsored by Sublime Security, makers of an email filtering solution that’s up for dealing with modern problems. Founder and CEO Josh Kamdjou joins to talk about calendar invite phishing, and the extra steps they’ve had to take to reach into people’s calendars and fix the mess.

The Risky Business weekly show is taking holiday break, and will return on 14 January for its twentieth year! Good luck out there, internet friends.

Show Notes:

React2Shell attacks expand widely across multiple sectors https://www.cybersecuritydive.com/news/react2shell-attacks-expand-multiple-sectors/808030/

React issues new patches after security researchers flag additional flaws https://www.cybersecuritydive.com/news/react-issues-new-patches-after-security-researchers-flag-additional-flaws/807776/

ConsentFix: Browser-native ClickFix hijacks OAuth grants https://pushsecurity.com/blog/consentfix

Hacking Endpoint to Identity (Microsoft 365): “ConsentFix” https://www.youtube.com/watch?v=AAiiIY-Soak

Announced pick for No. 2 at NSA won’t get the job as another candidate surfaces https://therecord.media/announced-nsa-deputy-director-pick-joe-francescon-not-taking-job

Laura Loomer on X: “Tim Kosiba’s Deep State And Anti-Trump Ties Raise Red Flags” https://x.com/lauraloomer/status/2000057405204300088

Senior official at Indo-Pacific Command is set to be Trump’s pick to lead Cyber Command, NSA https://therecord.media/joshua-rudd-nomination-cyber-command-nsa

Trump Administration Turning to Private Firms in Cyber Offensive https://www.bloomberg.com/news/articles/2025-12-12/trump-administration-turning-to-private-firms-in-cyber-offensive

PdV says cyber attacks contained https://www.argusmedia.com/en/news-and-insights/latest-market-news/2766060-pdv-says-cyber-attacks-contained

Venezuela state oil company blames cyberattack on US after tanker seizure https://therecord.media/venezuela-state-oil-company-blames-cyberattack-on-us

Justice Department Announces Actions to Combat Two Russian State-Sponsored Cyber Criminal Hacking Groups https://www.justice.gov/opa/pr/justice-department-announces-actions-combat-two-russian-state-sponsored-cyber-criminal

DOJ, CISA warn of Russia-linked attacks targeting meat processing plants, nuclear regulatory entities and other critical infrastructure https://therecord.media/doj-cisa-warn-russia-hackers-targeting-critical-infrastructure

vx-underground on X: “The United States government has indicted a state-sponsored Threat Actor named Victoria Eduardovna Dubranova” https://x.com/vxunderground/status/1998779086374658416?s=12

vx-underground on X: “I’m actually laughing. One of the compromises is so dumb” https://x.com/vxunderground/status/1998783026063388847?s=46&t=VLIuBKdOq3MvRk4IpV-_-A

German parliament suffers suspected cyber attack during Zelenskyy’s visit https://www.ft.com/content/8ca64b0a-2b9a-4736-8df4-2b1c6c4693e8

Während Selenskyj-Besuch: Große Internet-Störung im Bundestag! https://www.bild.de/politik/inland/waehrend-selenskyj-besuch-grosse-internet-stoerung-im-bundestag-6940216a11416590a630bd61

Germany summons Russian ambassador over cyberattack, election disinformation https://therecord.media/germany-summons-russian-ambassador-cyberattack-disinformation

Russische hackgroep had toegang tot openbare waterfontein in Nederland https://www.volkskrant.nl/binnenland/russische-hackgroep-had-toegang-tot-openbare-waterfontein-in-nederland~bd120e79/

Most Parked Domains Now Serving Malicious Content https://krebsonsecurity.com/2025/12/most-parked-domains-now-serving-malicious-content/

PornHub extorted after hackers steal Premium member activity data https://www.bleepingcomputer.com/news/security/pornhub-extorted-after-hackers-steal-premium-member-activity-data/

Senior Manager for Government Contractor Charged in Cybersecurity Fraud Scheme https://www.justice.gov/opa/pr/senior-manager-government-contractor-charged-cybersecurity-fraud-scheme

Microsoft will finally kill obsolete cipher that has wreaked decades of havoc https://arstechnica.com/security/2025/12/microsoft-will-finally-kill-obsolete-cipher-that-has-wreaked-decades-of-havoc/

CVE-2025-66491: Traefik’s “Verify=On” Turned TLS Off https://aisle.com/blog/cve-2025-66491-traefiks-verifyon-turned-tls-off

Dylan O’Donnell 🦋 on X: “This week I was rushed to hospital with a diagnosis of oesophageal cancer.” https://x.com/erfmufn/status/1997445694727279061