Risky Business #819 — Venezuela (Credibly?!) Blames USA for Wiper Attack
Podcast: Risky Business
Host: Patrick Gray
Date: December 17, 2025
Co-Host: Adam Boileau
Special Guest: Josh Kamju (Sublime Security)
Episode Overview
This episode delves into the latest cybersecurity news and incidents, with discussion ranging from a sophisticated OAuth consent exploit, NSA leadership chaos, suspicions around a ransomware/wiper attack on Venezuela’s state oil provider, lackluster Russian hacktivist operations, and a mounting epidemic of ICS calendar invite phishing. In a fast-paced yet accessible style, Patrick Gray and Adam Boileau break down what’s real, what matters, and what makes them laugh (or groan) about the state of infosec in late 2025.
Key Discussion Points & Insights
1. React 2Shell Fallout & Continuous Disclosure
Timestamps: 00:40–03:30
- React 2Shell remains heavily exploited by APT crews worldwide, now including Iranian state actors.
- Attackers are mostly seeking cloud credentials for further lateral moves.
- The wave of scrutiny has quickly led to discovery of new bugs: a denial-of-service infinite loop exploit and a source-code disclosure vulnerability found by Andrew McPherson.
- Insight: Once a major bug is found, expect a “pile-on” effect as researchers turn over more rocks. Constant vigilance and swift patching remain essential.
2. Consent Phishing via Azure CLI OAuth Abuse
Timestamps: 03:29–10:35
- A crafty social engineering trick, “Consent Fix”, exploits Microsoft's pre-approved Azure CLI OAuth process.
- Attackers get victims to copy and paste a localhost error URL containing sensitive key material, granting long-term access through command-line Azure tools.
- Unlike regular OAuth phishing, this leverages a default Microsoft app—bypassing admin controls set for third-party apps.
- Memorable Quote:
- “It’s odd combo between being really really dumb and really really smart in a way that you don't see very often.” — Patrick Gray [03:29]
- “It ain't dumb if it works.” — Adam Boileau [04:55]
- Takeaway: Even with phishing-resistant MFA, users can be tricked into actions that bypass typical protections. Social engineering remains the weak link.
- Resource: John Hammond’s in-depth video and Push Security’s write-up.
3. NSA Leadership Fiasco & “Clown Show” Politics
Timestamps: 10:35–15:45
- Ongoing turmoil at the NSA as Trumpist influencer Laura Loomer blocks key appointments based on LinkedIn politeness and “deep state” conspiracies.
- Even proposed director candidates lack cyber expertise, and the Deputy Director slot is stuck in drama.
- Memorable Quote:
- “It’s a bit of a clown show over there...I feel bad for clowns even, that’s how bad it is.” — Adam Boileau [14:41]
- Insight: Political instability at the helm of US cyber institutions arrives at the worst possible moment.
- Media skepticism advised about rumors of private sector “offensive cyber” authorizations (Bloomberg report), given prior dubious stories from the same outlet.
4. Venezuela’s PDV Cyberattack — Who Did It?
Timestamps: 15:45–18:19
- Venezuelan state oil firm PDV suffers a major cyber incident, possibly a wiper or ransomware. Officially blamed on the US.
- Co-hosts admit this could be “normal” cybercrime or genuine state action—the situation and timing make American involvement plausible.
- Exchange:
- “It feels trumpy, right? It feels trumpy.” — Patrick Gray [17:10]
- “It smells trumpy. I agree.” — Adam Boileau [17:13]
- Supporting evidence: Seized oil tankers and logistics disruptions point to coordinated economic pressure.
5. Russian Hacktivist Activity: More Annoying Than Harmful
Timestamps: 18:19–21:21
- Russian GRU continues to fund low-level hacktivist groups; recent US indictment of Ukrainian national Victoria Dubronova (“Vika, Tory, Sovasonia”) for minor attacks (car washes, fountains, occasional meat plants).
- True impact is small and opportunistic—far from the “cyber war we were promised.”
- Highlight:
- “This is not the cyber war we were promised.” — Adam Boileau [20:56]
6. Podcast Recommendation: Between (Three) Nerds on Iranian APTs
Timestamps: 21:21–22:32
- This week’s “Between Two Nerds” episode delves into the amusing ego-driven world of Iranian APTs, who “love to get doxed” for recognition.
- Highlight:
- “It’s a funny episode, but also legitimately educational.” — Adam Boileau [22:18]
7. Further Russian DDoS and Air Traffic Disruption Attempts
Timestamps: 22:32–23:50
- DDoS against German parliament during Zelensky’s visit; possible real-world air traffic company attacks.
- Unclear how much is cyberattacks versus everyday tech outages—distinction is often murky.
8. Parked Domains: A New Malicious Cesspool
Timestamps: 23:50–26:20
- Brian Krebs reports that over 90% of visits to parked domains result in malicious redirects, scareware, or phishing.
- The situation worsened after Google stopped default AdSense links on these domains, paving the way for low-quality/malicious content.
- Takeaway: Even a typo can now result in a browser drive-by compromise—patch early, patch often.
9. Pornhub Data Breach: Ashley Madison for Zoomers?
Timestamps: 26:20–29:28
- A third-party supplier for Pornhub (Mixpanel) was breached, exposing premium customers’ search histories and emails.
- Pornhub and Mixpanel dispute responsibility, but leaked data is real and deeply sensitive—potential to “out” users.
- Quote:
- “This is the sort of thing where you might be exposing somebody’s sexuality in that data set—they might be in the closet or something.” — Patrick Gray [28:28]
- Possible real-world harms reminiscent of Ashley Madison and psychotherapy clinic leaks.
10. FedRAMP Noncompliance, Salesperson Indicted
Timestamps: 29:28–31:43
- Former Accenture employee Danielle Hilma faces up to 20 years for falsely attesting to FedRAMP compliance.
- Memorable:
- “How many salespeople only tell the full truth?” — Adam Boileau [30:37]
- Echoes the chilling effect from high-profile CISO prosecutions.
- Hosts debate whether this will stall enterprise SaaS deals or push more on-premises deployments.
11. Microsoft Finally Disables RC4 for Active Directory
Timestamps: 31:43–34:19
- Windows will soon disable insecure RC4 by default for Active Directory Kerberos flows—a long-awaited move.
- Improved logging allows admins to identify non-compliant clients/third-parties.
12. Comedy Bug: Traefik Kubernetes Controller Inverts SSL Validation
Timestamps: 34:19–36:51
- Traefik, a popular cloud-native ingress proxy, had a hilarious bug: migrating from NGINX, the “verify SSL” setting was inverted (on became off) for six months.
- Exchange:
- “By off, we mean on and on we mean off. Just like total inversion.” — Patrick Gray [36:51]
- Discovered by automated code analysis, not exploitation—great example of defense in depth.
Sponsor Interview: ICS Calendar Invite Phishing (with Josh Kamju, Sublime Security)
Timestamps: 39:02–53:10
Problem Overview
- Massive spike in phishing with calendar invites (ICS format), delivering callback phishing (“TOADS”—Telephone Oriented Attack Delivery) and credential harvesting.
- Callback attacks have evolved from “renew your AV” scam calls to sophisticated malware/ransomware installations.
- Quote:
- “That’s a hell of a backronym. Hat tip to whoever came up with that one.” — Patrick Gray [41:00]
Why Is It Hard to Stop?
- ICS invites can be delivered not just by email but by API-level interactions within providers (Gmail-Gmail, O365-O365), bypassing normal email filtering.
- Legacy and gateway-based email security tools can’t delete or even see calendar events once entered.
- Sublime had to build custom features to remove malicious calendar events after delivery.
Defenses & Mitigations
- End user controls: Microsoft and Google allow restricting who can auto-add calendar events—turning off global auto-add can force an accompanying email (making filtering easier), but at the cost of productivity/convenience.
- Vendors need deeper API access and monitoring to remediate malicious calendar invites, even those not associated with an email.
Trends
- Over 100x increase in calendar phishing volume—likely now included in “phishing kits” for commodity attackers.
- ICS-based phishing isn’t new, but recent commoditization has fueled massive abuse, akin to past surges in QR code phishing.
- Sublime open-sourcing a “playbook” and tooling to let any IR team clean up malicious calendar invites, not just their own customers.
- Insight: Flexibility in detection and response remains vital as threat actors rapidly shift tactics.
Notable Quotes and Moments
-
On OAuth Attack Innovation:
“I’m totally here for novel research. And this is, you know, it’s just great lateral thinking. I love it.” — Adam Boileau [10:17] -
On Russian Hacktivists:
“Attacking a car wash in Florida... attacking a children’s water park in the Netherlands turned out to be a fountain.” — Adam Boileau [20:14] -
On Cyber “Clown Show” at NSA:
“Such a clown show. And I feel like, I feel bad for clowns even, you know, that’s how bad it is over there.” — Adam Boileau [14:41] -
On the Impact of the Pornhub Leak:
“It’s the sort of thing where...you might be exposing somebody’s sexuality in that data set that...has a lot of potential to cause people serious distress.” — Patrick Gray [28:28]
Episode Recommendations
- Reference:
- Check out John Hammond’s video on Azure CLI Consent Phishing (see show notes).
- “Between (Three) Nerds” episode on Iranian APTs—educational and funny.
Episode Tone
Lively, irreverent, and pacy—Patrick and Adam mix deep expertise with wit, poking fun at the absurdities of the industry while delivering sharp analysis and actionable insight. They balance humor (“it feels trumpy,” SSL setting inversion) with gravity on serious breaches (Pornhub, FedRAMP fraud) and empathy for real-world victims.
Useful Timestamps
| Segment | Timestamp | |----------------------------------------------------- |---------------| | React 2Shell Fallout | 00:40–03:29 | | Consent Phishing / Azure CLI OAuth Abuse | 03:29–10:35 | | NSA/US Cyber Leadership Dysfunction | 10:35–15:45 | | Venezuela PDV Cyber Attack | 15:45–18:19 | | Russian Hacktivist “Trash” Operations | 18:19–21:21 | | Iranian APT Podcast Plug | 21:21–22:32 | | Parked Domains Maliciousness | 23:50–26:20 | | Pornhub Data Leak | 26:20–29:28 | | FedRAMP Misrepresentation | 29:28–31:43 | | Microsoft Killing RC4 | 31:43–34:19 | | Traefik SSL Comedy Bug | 34:19–36:51 | | Sponsor Interview: ICS Calendar Phishing | 39:02–53:10 |
Closing Thoughts
A must-listen for any infosec professional seeking a no-nonsense, humorous, and up-to-the-minute view of cyber threats and the odd cyber policy circus. Risky Business continues to blend industry gravitas with a refreshing real-world perspective.
End of Summary