Risky Business - Risky Business #819 -- Venezuela (credibly?!) blames USA for wiper attack
Episode Date: December 17, 2025In the final show of 2025, Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: React2Shell attacks continue, surprising no one The un...holy combination of OAuth consent phishing, social engineering and Azure CLI Venezuela’s state oil firm gets ransomware’d, blames US… but what if it really is a US cyber op?! Russian junk-hacktivist gets indicted for cybering critical… err… a car wash and a fountain Microsoft finally turns RC4 off by default in Active Directory Kerberos Traefik’s TLS verify=on … turns it off, whoopsie 🤡 This week’s episode is sponsored by Sublime Security, makers of an email filtering solution that’s up for dealing with modern problems. Founder and CEO Josh Kamdjou joins to talk about calendar invite phishing, and the extra steps they’ve had to take to reach into people’s calendars and fix the mess. The Risky Business weekly show is taking holiday break, and will return on 14 January for its twentieth year! Good luck out there, internet friends. This episode is also available on Youtube. Show notes React2Shell attacks expand widely across multiple sectors | Cybersecurity Dive React issues new patches after security researchers flag additional flaws | Cybersecurity Dive ConsentFix: Browser-native ClickFix hijacks OAuth grants Hacking Endpoint to Identity (Microsoft 365): "ConsentFix" - YouTube Announced pick for No. 2 at NSA won’t get the job as another candidate surfaces | The Record from Recorded Future News Laura Loomer on X: "EXCLUSIVE: 🚨 White House Official Confirms Ongoing Search for NSA Deputy Director As Tim Kosiba's Deep State And Anti-Trump Ties Raise Red Flags 🚨" Senior official at Indo-Pacific Command is set to be Trump’s pick to lead Cyber Command, NSA | The Record from Recorded Future News Trump Administration Turning to Private Firms in Cyber Offensive - Bloomberg PdV says cyber attacks contained | Latest Market News Venezuela state oil company blames cyberattack on US after tanker seizure | The Record from Recorded Future News Office of Public Affairs | Justice Department Announces Actions to Combat Two Russian State-Sponsored Cyber Criminal Hacking Groups | United States Department of Justice DOJ, CISA warn of Russia-linked attacks targeting meat processing plants, nuclear regulatory entities and other critical infrastructure | The Record from Recorded Future News vx-underground on X: "The United States government has indicted a state-sponsored Threat Actor named Victoria Eduardovna Dubranova" vx-underground on X: "I'm actually laughing. One of the compromises is so dumb" German parliament suffers suspected cyber attack during Zelenskyy’s visit Während Selenskyj-Besuch: Große Internet-Störung im Bundestag! | Politik | BILD.de Germany summons Russian ambassador over cyberattack, election disinformation | The Record from Recorded Future News Russische hackgroep had toegang tot openbare waterfontein in Nederland | de Volkskrant Most Parked Domains Now Serving Malicious Content – Krebs on Security PornHub extorted after hackers steal Premium member activity data Office of Public Affairs | Senior Manager for Government Contractor Charged in Cybersecurity Fraud Scheme | United States Department of Justice Microsoft will finally kill obsolete cipher that has wreaked decades of havoc - Ars Technica CVE-2025-66491: Traefik's "Verify=On" Turned TLS Off | AISLE Dylan O'Donnell 🦋 on X: "This week I was rushed to hospital with a diagnosis of oesophageal cancer."
Transcript
Discussion (0)
Hey everyone and welcome to risky business. My name's Patrick Gray. This week's show is brought to you by Sublime Security and we'll be hearing from Josh Camdrew a little bit later about the spate of calendar invites fishing that's going around and how that is actually kind of a complicated problem to deal with if you're an email security provider.
Interesting topic actually even though it's like low level stupid but at high volume stuff like dealing with it is a pain. So Josh will be with us a little bit later on.
to talk through all of that. It's been a hard week for us, Aussies, with everything that's
happened in Bondi, our thoughts, our hearts go out to everybody in Sydney who's been
affected by the horrible massacre that happened at Bondi Beach. If I was just going to say one
thing about that, I would say that as much as it's been a dark week, there's an awful lot
to be proud of there as well. Everything from the way surf lifesavers pulled people to safety,
placing themselves at risk, the way that civilians were able to disarm these attackers,
the way that the police were able to take these guys out in four and a half minutes for the
first one and completely taken out after six minutes with pistols,
facing down people with shotguns and rifles, showing just incredible bravery.
There is so much to be proud of.
So as much as it's been a very dark period, you know, I think it's important that we don't
lose sight of that aspect of this as well, which is that it could have been a lot worse,
and everybody did what they were supposed to do. But look, heavy enough, right? So we're going
to move on and get into this week's news. I just felt I had to say something there.
But Adam, let's talk about the cybers, right? Because the cyber's a lot more fun than all of that.
And first of all, a quick update on the React 2 Shell stuff. Every APT crew on the planet,
apparently jumping in on the action there.
We've got the, even the Iranians are jumping in on this one.
And it looks like they're grabbing cloud service credentials
seems to be what people are after here, not so much shells.
Yeah, we've seen, I think Microsoft did a write-up of a number of campaigns they've seen,
and there's people deploying proxy networks,
there's people deploying, you know, regular root kits and shells for access.
And, yeah, stealing cloud credentials.
I guess that indicates, you know, that's what people want these days,
is to pivot onwards into all the cloud properties.
But yeah, this is kind of as we expected,
you know, CVSS 10 out of 10 north bug.
Of course, it's going to go big.
Yeah, yeah.
And meanwhile, a couple more bugs like we said last week, right?
Which we said last week,
now that there's been one big bug in this stuff,
other people are going to have a look
and stuff will undoubtedly fall out.
We've already seen a couple more.
I think, what, there's a Memleek and a DOS condition here
that are, you know, not particularly high impact,
but kind of funny because they were found very, very quickly.
Yeah, yeah, one of them is like a straight up denial of service by putting it into an infinite loop is not really what you want.
And yet another thing was a source code disclosure one where you can get the server side JavaScript source code, which is useful for finding other bugs and maybe credentials and tokens and things.
So yeah, people who are out there patching, you know, have just discovered that they run a React server components and are patching them.
They're going to be patching again.
But yes, as you said, this is what we expect to happen, you know, once someone finds a bug and everyone else starts piling on.
Yeah, I think Andrew McPherson X Maltigo actually found those.
So nicely done, Andrew.
Now, let's move on to that technique that I was talking about just at the intro there, consent fix, right?
So Click Fix has become this somehow has become a big thing, right?
And this is where people, it's the clipboard thing where the attacker put something on your clipboard,
and then they tell people, oh, you've got to pay, you know, you've got to go to the start bar and like run it as a command and whatever and paste.
and off you go.
And look, people are still doing it, so it clearly works, right?
So now let's talk about consent fix, which is kind of a similar thing,
but it doesn't touch the endpoint.
It's all in browser.
The reason we know about this is because push security and full disclosure,
they're a sponsor of the show, and I'm an advisor to them.
I've got share options in them and whatever,
but that's not why we're talking about it.
We're talking about it because this is actually very, very cool.
The only reason we know about this is because finally we've got some companies
making like browser telemetry products that can see these sorts of things.
And man, they found a good one here.
John Hammond, too, who's the security YouTube guy.
He's got like 2 million subscribers.
He did a long video on this too, which is awesome.
And we've linked through to it in the show notes.
But walk us through this technique because like it's this odd combo between being really,
really dumb and really, really smart in a way that you don't see very often, right?
Well, you know, the old classic, it ain't dumb if it works.
but yeah, this is a, it's actually, it's really, it's really clever.
So the deal here is you're browsing the web
and the site that you're visiting will prompt you
to authenticate an OAuth application in your Microsoft account.
And the application it prompts you to add is the Azure CLI,
so the command line interface for talking into Azure.
And this is an OAuth app that's kind of enabled by default for all tendencies.
And the process of authenticating an O-WRowth app,
app like this one, the way that it was intended to work is that you go to Microsoft, you say you want
to enroll in this application, and once you've authenticated and kind of agree, consented to the
application, to give the necessary kind of key material back to the Azure CLI, your browser then
makes a callback to local host. And in the normal flow, the Microsoft authentication libraries
that you would use for this, spin up a listener to catch that particular request.
and then that gives it the necessary key material to go off
and issue a longer term token for access to your account
with the Azure CLI.
If you don't have Azure CLI,
and it didn't initiate this request,
there is, of course, no listener on local host.
And so in the attack, the browser triggers this process.
Your browser gets redirected to local host,
and of course local host isn't there,
and you get an error from your browser
that says, you know, error 4 or page not found or whatever else.
the attackers convince the victim to copy paste the URL of this error message,
which contains the key material in a gap parameter, and give it to the attacker.
And so it's kind of similar to click fix in that your social engineering and the user
that you've got a problem and to fix it, you need to copy paste this particular piece of information,
and then the attackers can use this to register the Azure CLI app into your account
from their machine.
So then they've got a long-term access token and they can make Azure.
or CLI requests into whatever endpoint at Microsoft that is.
And that's functionally equivalent to giving them your whole Microsoft 365 account
in terms of what it can do, which makes the attack very happy.
And it's a really fun kind of little trick.
And I don't know why it wouldn't work.
And indeed, according to Bush, you know, they've seen it being used in the wild.
So clearly it does.
Yeah.
So I think basically the way this went down is they saw some weird behavior.
targeting one of their customers and started, you know, stepping it back and wound up with a DAFUQ
kind of moment looking at this stuff. And then they, it was a little bit to unpack too,
because the attackers here were using compromised websites, right? They would add some JavaScript
to compromise websites that would pop up this fake Cloudflare turnstile that asked for your email
address. And if you weren't one of the whitelisted domains that they were targeting,
you would never see the payload again, right?
So whoever was doing this was actually doing it in a way to try to avoid detection.
It didn't work in this case.
But I mean, it's just like, I love this, right?
You're getting people to cut and paste a local host URL to complete a made-up login process,
which seems like a weird thing to a typical user.
I'm going to imagine it seems like a weird thing to a typical user.
But, you know, even one that's like maybe a little bit,
computer-minded wouldn't necessarily think that giving up a URL, you know, oh, if there's a
problem, if it's showing you an error, just copy that URL and paste it here.
Like, that might actually make sense to them, right?
So, and then from there, yeah, you could use that keymat from wherever in the world just
to have that command line access into that user account.
And if that user account is privileged, I'd imagine there's quite a lot you can do that, right?
Yeah, I mean, if you land on a privileged account, like an as you're a privileged account,
then, oh boy, yeah, you're in for a great time because that's equivalent to access to their
account and onwards the great victory. And the normal controls that people would have in place around
this. Because by comparison to regular O-Worth consent fishing, the attacker creates a malicious
AWO-WF app, which redirects back to the attacker. And that O-W-W-Ap has to be authorised into the
account to start with by the administrator, because we went from anyone can add any O-Wth
app whatsoever to their Microsoft world to now these days because of that O-Wth consent fishing.
most places have admin controls after what Oath apps are going to be permitted.
But in this case, Microsoft has provided the sort of malicious app in this scenario.
Yeah.
And it's pre-approved and its redirect behavior during the ortho just happens to be a thing that the attacker has figured out a way to leverage.
Now, if the attacker was in a position to catch that logical host request some other way,
you know, other malware or there was a piece of enterprise crapware that happens to have advantageous behavior
for the attacker. Maybe there are other avenues to go down this road. But like just straight
up socialing the user to do it, honestly, makes a lot of sense. And, you know, my hat is awesome.
Your Fido keys aren't going to do anything to stop this as well. I mean, that's the thing that I find
most interesting here is that you would think, okay, well, we got fishing resistant MFA. We're good.
No. No. In fact, we knew we're not good. Yeah, we're definitely not good. That's the great thing, right?
that now that we're making fishing kind of a much less different,
like fishing for credentials are much less straightforward thing.
Attack is a force to do some actual novel research now.
And I'm totally here for novel research.
And this is, you know, it's just great lateral thinking.
I love it.
Yeah, life finds a way, as they say.
So, yeah, we've linked through the write-ups there.
But I'm like, this as your CLI thing, I'm looking at it,
I'm like, this is like cloud bash?
like what is this
it's like yeah
oh man cloud bash
what a world
oh now look let's have a
let's have a quick chat about
all of the
goings on in the United States
when it comes to trying to find
people to run NSA
both the
the head of NSA
director NSA and deputy director
Laura Luma keeps getting
in the way of this process man
and it's it's
I mean it's it's both
serious and kind of funny. I mean, it's just like you, you kind of do have to laugh about this,
right? Because we had this situation where Tim Hogg and Deputy, I can't remember her name,
got canned because they were part of the deep state or something, according to Laura Luma,
who claims it, yeah, you know, I got them canned. And now there's been people in the acting
jobs ever since. Then there was a number two that got announced for the job, but Luma
decided she didn't like him either. This is for the deputy director position. So this is Joe
Francescun, who was announced in August as the next deputy NSA director. Then we've got a report
here from the record that said the administration was going to name Tim Kaseba, who formerly
held senior roles at NSA and FBI. But then Laura Luma has taken to X to talk about how the record
story is wrong and there's no way this guy is going to get the job because he's.
He's too cozy with the deep state Trump-haten Democrats, right?
And then when you look at what she describes as her receipts of this guy's disloyalty to Trump,
it's stuff like him wishing Tim Hogg all the best after he's left NSA on LinkedIn.
You know, this is the scandalous content that apparently disqualifies him from a senior position under the Trump admin.
I mean, platitudes on LinkedIn.
That's all it takes apparently, yeah.
It's just bonkers. It's absolutely bonkers. And, you know, how long into this administration are we? And there's still no one, you know, at the head of America's, you know, cyber and spy agency. Like, it's just, you know, at a time when this is really quite important. And yet here we are, you know, because this guy said nice things on LinkedIn. Like, it's just, I mean, either of these guys, right, have been said nice things on LinkedIn or, you know, did something to, you know, offend her delicate sensitive.
I don't think she has delicate sensibilities.
I think she has spiky, nasty sensibilities, actually, mate.
But meanwhile, apparently that's the deputy director position.
Apparently there is someone in the frame for the director position,
which is going to be this guy, Army Lieutenant General Joshua Rudd,
who is the deputy chief of the US Indo-Pacific Command.
but it doesn't look like he has actually any experience in cyber.
Now, I'm not sure how much that necessarily matters
when the directed job really is, you know, as I understand it,
you're sort of managing upwards to Congress and whatnot,
and it's a big organization, and it's running it like any other big organization.
I think the deputy director role, as I understand it,
is much more about, you know, managing down into the organization.
But you do wonder on what, like, what the criteria were
in selecting this guy who obviously I know absolutely nothing about.
We've got a great quote in here from Senator Mark Warner
who said that he looks forward to, where is it?
I got the quote here.
Looks forward to evaluating his qualifications
to lead the NSA and US Cyber Command
at a moment of unprecedented cyber and national security threats.
That was Senator Mark Warner.
So, you know, just, yeah, it's a bit of a clown show over there right now.
Such a clown show.
I feel bad for clowns even.
You know, that's how bad it is over there.
What a mess.
And meanwhile, there's a story going around in Bloomberg
that says that the soon-to-be-released cybersecurity strategy
is going to outline a bunch of ways
in which the private sector is going to do offensive cyber.
I'd be a little bit cautious about accepting that story as fact.
It hasn't stopped everyone from talking about it an awful lot.
it's been social media fodder over the last few days, big time.
And we do know that the admin over there has been kicking around ideas
about getting private companies involved in those sort of activities.
But I think we should wait for the strategy to actually be released
before we start talking about it as if this is in it.
Yeah, that seems pretty reasonable.
I mean, Bloomberg's track record has not been super spectacular
when they are, of course, responsible for that grain of rice,
Chinese backdoor story back in the day as well.
So yeah, not always the most reliable source.
Yeah, so let's just see how that happens.
Now, this one's fun.
This one is fun because we are not sure what to make of it.
There has been some sort of cyber attack,
maybe a wiper attack, maybe a ransomware attack
against the Venezuelan state oil firm PDV,
which has, depending on who you listen to,
has been contained or has ground their operations down to a halt.
Now, the obvious question here is,
the Venezuelans are blaming the Americans
and saying it's an attack from Americans.
But, you know, you sort of get the impression
they would say that anyway, right?
Even if it was an attack from a Russian ransomware crew
or a bunch of pro-democracy activists,
they're always going to blame the Americans
because it suits their political interests.
But in this case, you kind of do wonder if it was the Americans.
You do kind of wonder,
I mean, given the situation, you know,
the relationship between Venezuela and the US at the moment,
you do kind of wonder,
and you could totally imagine the American administration
deciding to add some cyber to the mix,
and oil is super important for Venezuela's economy.
So, like, doing it under the cover of a ransomware operation,
also a totally, you know, a thing that could happen.
Seems believable.
But, yeah, it also absolutely could just be regular common garden.
Everyone gets ransomware, like, this is just normal,
having computers on the internet kind of thing.
we just don't know.
But it does, I mean, it feels Trumpy, right?
It feels Trumpy.
It smells Trumpy, I agree.
I agree, it smells like it.
I mean, it is kind of the cyber equivalent
of blowing up a speedboat.
You know what I mean?
I mean, they seized an oil tanker, right?
So we did see some reporting, I think it was what in Reuters,
that were reporting that are like a bunch of oil tankers
that ship oil for.
this organization have either gone dark on their tracking, like turned it off,
or have, like, tankers that are inbound to pick up cargoes have turned around because of the
uncertainty. So, you know, if the intent was to disrupt oil exports out of Venezuela, you know,
depending on the reporting you read, like plausibly mission accomplished.
So, yeah, it's just, it smells.
Well, and all of these things, yeah, all of these things taken together, right, with the tanker
seizure and this, you would sort of think, you know, it does, it does.
It does feel a little bit more than a coincidence, you would think.
Yeah, you kind of do.
But, you know, it absolutely also could just be, it could just be ransom here.
You know, we don't know.
We don't know.
What is it?
Sometimes it's just a chocolate bar, right?
Yeah, exactly.
Now, let's contrast that operation, which may or may not be, you know, a US cyber operation.
Let's contrast that to what the Russians have been up to.
And man, flinging money at hacktivists, right?
Fling and money towards hacktivists to just randomly pop shells and try to wreak havoc.
And not really doing anything except annoying people.
And now we've got someone, what's this Ukrainian national, Victoria, Edwadovna Dubranova,
33 years old, also known as Vika, Tori, and Sova Sonia.
she has been extradited to the United States
and is facing up to 99 years in prison
for her role in a bunch of this activity
but it's when you read this activity
that you just think
why is the Russian state
giving money to this group to do this sort of stuff
like what is even the point of it?
Yeah no you really do end up wondering that
because I mean some of the examples of attacks
this lot have carried out
I mean some of it's denial of service stuff
some of it's breaking into things
And we've seen, like, initially you see reports that are like, you know, broken to water treatment facilities and adjusted chlorine levels in a children's water park and, you know, things that sound, you know, opportunistic but serious.
And then when you start to see some more of the details, some are detailed in this indictment, it's something like, you know, attacking a car wash in Florida or, you know, attacking.
I think it turned out that the children's water park in the Netherlands
turned out to be a fountain, you know,
like not exactly like chlorinated pools that might poison children,
no, it's like it's a fountain.
They adjusted the water level in a fountain.
Birds drinking from that fountain may have felt under the weather briefly, though.
Yeah, they may have had to go further down into the pond to get their water.
So like it's just, it's kind of rubbish.
I mean, I guess they must have done some things that did cause genuine ink.
convenience, but, you know, as a state-funded, because I mean, the allegation is that these groups
are being funded by the GAU Russian military intelligence. But yeah, as a tool of state power,
I don't feel that, you know, particularly overwhelmed by it.
Well, dude, in November 2024, they attacked a meat processing facility in Los Angeles and
spoiled thousands of pounds of meat and caused an ammonia leak at the facility.
Well, I mean, that's at least a little more serious than the children.
fountain but yeah like this is not this is not the cyber war we were promised and I know like over on
over on between two nerds Tom and the grack are often talking about how you know cyber really is not
actually very effective at you know expressing state power and this is a great example of it just
being total trash yeah and I'd highly recommend too funnily enough I think some of the best
coverage of this has come from the VX underground uh the VX underground the VX underground
Twitter feed where they wrote up a bunch of details on the indictment when it first landed.
And what did they say?
Like looking at the guy's car wash got messed with.
Like they messed with his car wash settings in Florida.
You just think what?
Now look, too, also speaking about between two nerds, this week's episode is a must listen.
in my mind.
It was actually labelled between three nerds.
So that's Tom Uren, our colleague, The Gruck,
and a guy called Hamid Khashvi,
who is talking about the evolution of Iranian APT groups.
And not only is it a very interesting conversation,
it's also quite funny.
So I would recommend that people check that out.
I know you've enjoyed that one as well.
Yeah, yeah.
I definitely enjoyed watching that one.
I watched YouTube version.
It's just a funny.
It's a funny episode.
but also like legitimately educational.
Like I learned a bunch about, you know,
Iranian cyber activity.
Definitely worth it.
I mean, it starts off with the wonderful knowledge
that quite often some of these Iranian APT crews
love to get detected and love to make headlines
because it's actually really good for them internally.
It gets them noticed by the bosses, right?
And getting docks and stuff like, fantastic.
You know, you're notorious.
Like, whoops, did I accidentally just expose my IP?
Oh, no.
But look, you know, there's,
There's a whole bunch more Russian activity to talk about this week.
The German parliament got deduced during a visit from Vladimir Zelensky.
You know, and you just sort of think, again, what's the point of this?
Yeah, yeah, exactly.
It's not particularly clear.
It looks like maybe their email systems had some outage.
There was some local reporting that suggested that maybe it wasn't cyber.
Maybe it was just regular Common Garden incompetence,
which, you know, it can be a little hard to tell these days.
But, yeah, we did see the Germans,
what was it, summoning the Russian ambassador
to protest about Russian attacks on the companies
behind air traffic control in Germany.
So there is definitely a focus,
and having Zelensky there, you know,
walking around and having photo ops with German politicians,
I cannot imagine made the Russians happy,
and it would be entirely believable for them to go throw a DDoS,
you know, as a petulant punishment for that.
Yeah, have a little tanty.
basically. Now, we got one here from Krebs on security, which says that most parked domains now
are now serving malicious content. Now, what does he mean by malicious content? Because that's a pretty
broad brush. Yeah, so there's all sorts of things there. There's things that are trying to drop
scareware on you, things that are sending you onwards to, you know, more sophisticated,
attack browser exploitation and things.
Some of the things we've seen that he writes up here are, you know,
often these ads or content on these sites will send you off through a bunch of redirectors
that are going to kind of assess your interest.
The level of interest the attack is having you and then send you to different kind
of grades of attack or, you know, scams or malware or whatever else,
depending on how interesting that you are.
So that's a, you know, kind of makes sense, I suppose.
The thing that stood out to me in this story, though, was something like, according to research from Infoblocks, 90% of visits to a park domain is going to end up in some kind of nasty content.
But that varies wildly depending on whether you come from a residential IP address or not.
If you're coming from a VPN or the sort of cloud service where like a scanning operator might be running out of, you tend to get redirected to much more benign content.
So that kind of shows a degree of sophistication there.
There was one other point, though, that Brian made,
which was that the quality of, like, the maliciousness of content on parked sites
got significantly worse early this year when Google turned off default targeting of Google AdWords.
So like Google's AdSense platform used to serve ad content on park domains by default,
they turned it off and now it's opted only.
and that has meant that there's way less advertising there.
So it's much cheaper for people to go and put on, you know,
more malicious content, lower quality advertising, that kind of thing.
So like by those things combined,
parked domains have become, you know, a much, even more of a cesspool than they already were.
So, I mean, you could, you know, bit flip,
a cosmic ray could hit your computer, bit flip you,
you wind up on the wrong domain, it's parked, and wham-o.
Yeah, yeah, basically, yeah, that's a great time.
and good reminder to make sure you patch your browser
because yeah, drive by from just a typo,
not really what you want.
No, not a good time.
Now what do we got here?
Oh, yes, perverts everywhere.
Repent because Pornhub, apparently a third party,
supplier to Pornhub got owned
and a whole bunch of data on their premium members
got leaked and this includes stuff like their search history
and I'm guessing if you're the sort of person who pays for a porn hub subscription,
it's going to be a pretty exotic sort of collection of keywords.
You would think that you probably don't want associated with your email address.
I mean, this is, I saw someone on Twitter described this as the Ashley Madison hack,
but for Zoomers, which I think is probably about right.
But I mean, this is bad.
You know, this is really bad.
Yeah, so this is a shiny, high.
Hunter's breached Mix Panel, which is a third-party data analytics provider, and Pornhub apparently
was one of their customers.
Pornab actually came out and said that they stopped using Mix Panel back in 2021, and so therefore
the data is probably a few years out of date.
On the other hand, Mix Panel have said that the Pornhub data didn't come from them, and it
must have come from somewhere else.
So it was a bit of like, you know, he said she said back and forth between the two, but
The net result seems to be that shiny hunters have the data there attempting to ransom
Pornhub to pay them to not release it.
They have shared some of it with Bleeping Computer to kind of prove its provenance and
so on.
And bleeping computer seems convinced that it is in fact the genuine article.
And yeah, watch histories and search histories or search terms is probably, as you say,
not a thing that a premium user, a user of Pornhub, probably wants out there.
And I feel like Pornhub's not going to pay Shiny Hunters,
and this data's going to come out.
Even if they did pay, Shiny Hunters will probably release it for the lulls anyway.
So, yeah, probably not a great time to be a premium subscriber.
Although Pornhub is, you know, trying to say that it's, you know, a subset of customers.
And so on all the usual sorts of things that you get from people who've had the data stolen.
Yeah.
You know, it's, it's, this one is a bit worrying, I think.
Do you know what I mean?
Because it is the sort of thing where, you know, you might.
be exposing somebody's sexuality in that data set that, you know, they might be in the closet
or something like, like it's got a lot of potential to cause people serious distress, right?
So I'm making jokes about it at the start, but, you know, just like the Ashley Madison data
leak, there were suicides linked to that.
You sort of wonder if the same thing could happen here.
So I think this could become, depending on how it plays out, it could be, you know, a leak with
those sort of real world impacts.
And the two others that I think of are Ashley Madison and then the Vastamo, you know,
psychotherapy clinics.
data set release. You know, people shouldn't touch this sort of stuff. It's dangerous.
Yeah, I mean, the potential for consequences, like real world, actual consequences,
you know, are pretty significant. And yeah, it's not, it's not, you know,
it doesn't, it doesn't feel good to have your data stolen at the best times, but even worse,
when it's, you know, kind of private or intimate or sensitive like this.
Yeah. So I kid the perverts, uh, but also, um, you know, this is, this is a serious
incident and let's hope it just goes away and it's just they said we didn't really have the data
we only had what we gave to bleeping computer and the whole thing's just to laugh at the end that
would be great now we got this absolutely wild piece here man holy dolly this former employee
of Accenture Danielle Helmer 53 of chantilly virginia she's being targeted with like what is it
like wire fraud and stuff for basically lying to the
US federal government about
whether or not a
lying about a product being sort of
FedRamp compliant when it wasn't
and you just
sort of think which
salesperson doesn't
lie about their FedRamp compliance
and she's facing
like 20 years in prison
this is a crazy
indictment I mean
like we love to see the wicked punished
but I got to be honest
I'm reading this and my jaw hit the floor
your reaction was similar,
wasn't it?
Yeah,
exactly.
I mean,
how many salespeople,
you know,
only tell the full truth,
you know,
and don't exaggerate
or leave things out
or whatever else.
Like, it's just,
it's wild.
And, yeah,
the charges really stack up.
I mean,
there's some for wire fraud,
there's some for government fraud.
There's some counts of,
like, obstruction of federal audit.
Apparently,
at some point,
she was involved in,
like,
you know,
obstructing some auditors
that were attempting
to,
look at the products or services that they were selling.
Like, it's pretty wild.
And, you know, if she ends up going down for this, like, you know,
remember how much we talked about, like, you know, the chilling effect of, you know,
on CISOs of, you know, the SEC or whatever it was a while ago back,
like, was it the Uber guy or the, was one of the Joe Sullivan, yeah.
Joe Sullivan, yes.
Like, imagine there was so much like, oh, the chilling effect that's going to have on CISOs
and blah, blah, blah, blah.
Like, this is going to have a chilling effect.
Like, if you're going down 30-year federal.
charges for lying about FedRAM compliance.
Like, yeah, that's real selling effect right there.
Sales going to grow into a hole.
No one's going to be getting their bonuses.
How quickly can we engineer, how quickly can we engineer an on-prem version of our
solution is the takeaway question from this one?
Because honestly, like, that is an easy, like, unless you have to do FedRamp, you don't
want to do FedRamp.
And that is the easiest way around that is just like, oh, we got an on-prem thing.
We stick it in a container.
You don't need to worry about FedRamp.
because it's a shocker.
Like it's a horrible process to go through.
And, you know, I don't recommend lying about it and,
and concealing things from the auditors here.
It did, I did remind me a little bit of the Joe Sullivan thing, actually,
now that you mention it, because, you know,
I think one of the key allegations here is that they were actively concealing and lying
and, you know, ducking and weaving,
which were some of the allegations against Sullivan too at the time.
Well, I guess his was more, no, they did allege that he concealed stuff.
But I think his was more gray area like fail to report sort of thing.
Anyway, that one's all over.
Let's not reopen that one.
We've got some good news here, which is Microsoft is finally killing RC4.
Yes.
So, well, I mean, killing is a strong word, I suppose.
They are disabling by default the use of RC4 in Windows Active Directory,
and in particular as a response to it being kind of a key part of the Kerber roast attack flow,
where you can steal credentials as any domain user.
And yeah, they've been trying to kill this off for a long time
because, you know, having to use RC4 in a world where we've got AES support,
have had AES support since Windows, I think 2003, Windows Server 2003 is where they,
is the system where that only support of the RC4,
so things like of that venture, it's like, it's been a while.
And Microsoft has been working hard to try and make it go away.
The main reason it's stuck around is that some third-party implementations, things that interrupt with the active directory don't particularly work well, plus, you know, old versions of Windows.
But yes, Microsoft's going to turn it off by default.
If you want to keep using it, you can, but, you know, kind of adds your own risk.
Microsoft's also introduced some better logging so that you can discover clients in your environment that don't support RSI for or, sorry, that don't support AES, or have it misconfigured for some reason so that it can't.
try and help you figure out the little bits of edge cases.
They're also asking for details of any third-party solutions that only work with RC4.
So they've done the work, you know, and I guess some Windows admins next year,
when they start to roll out this change,
we'll discover what things no longer work in their environment with RC4.
That's right.
Now we're going to talk about my absolute favorite story of the week.
This is our skateboarding dog.
It is our final news story of the week, Adam.
Very, very funny.
Very, very good.
We love kicking F-5 when they're down.
You're thinking about all of the problems with F-5,
and you think, well, why don't you go to a competing technology, right?
And one of the competing technologies there comes from Trafic, T-R-A-E-F-I-K.
Trafic does cloud-native reverse proxies and ingress controllers.
It's got 60,000 GitHub stars,
three billion downloads that can do all your SSL termination
and, you know, T-L-S termination.
all of that good stuff.
But their ingress controller for Kubernetes
has a bug in it that is just so funny.
Like it is so funny.
Please walk a set.
Like this is a pure, proper comedy bug.
I mean, I don't think anyone's actually exploded this in the while,
but like it's just so funny.
It's comedy, yes.
So if you're using traffic in your Kubernetes environment
and you were migrating from using EngineX
in the same role,
the thing that parses your EngineX config
and then generates appropriate traffic config to replace it
had a little bit of a boo-boo.
And the boo-boo was when you had a setting
in your EngineX version which said,
hey, I'd really quite like to verify
that the SSL certificates involved are valid.
It would translate that into a new configuration,
which was the opposite.
Please do not verify any TLS certificates.
And so this has been about six months that the setting has been reversed
where certificate validation on
ended up with certificate validation equals off.
So that's a little bit awkward.
And as you say, in the modern world,
relying on TLS certificate verification is pretty important
and having that setting just be backwards for six months
and no one noticed.
It's pretty funny.
It's pretty funny.
Yeah, well, someone did notice,
but they were using some sort of automated like code scanning tool
something and just throwing it at various code bases and that's how this got found which i think is
kind of a win right yeah this is one of these it's a firm that's like doing a bunch of ai stuff and
indeed their write-up feels very written by an lLM like this uh there's some stuff that just like
has that l-lm sniff to it but the bug's legit uh so regardless of how they found it whether it was
humans whether it was computers whether it was both uh we are still laughing at a very real bug so
yeah good work yeah that's right uh by off we mean on
and by on we mean off just like total inversion.
Now look, just before we wrap it up,
that's actually it for the week's news,
but before we wrap it up,
I just want to send a special shout out
to a friend of the show, Mr. Dylan O'Donnell.
Dylan helped, he's a friend of mine from my local area.
You know, we often, I think I've mentioned on the show
once before that I go and get dinner
with a bunch of friends once a week.
We all eat a steak.
You know, he's one of my steak buddies.
He also did the CSS for the risky business website
when we relaunched a while ago.
So, you know, we took the design,
and Dylan was one of the people who,
Dylan and you basically developed our new website,
and he got added into our Slack.
And like when that project was done,
we didn't get rid of him.
So he's sort of like, he's sort of like risky business,
risky verse auxiliary and a good mate,
really good friend of mine.
And Dylan was just diagnosed with esophageal cancer, unfortunately,
and he's beginning chemo this week.
And Dylan, I know you listen to the show,
mate and just wanted to wish you all the best with that.
And some people might know his name because he actually operates a very popular astronomy
YouTube channel with, you know, I think over 50,000 subscribers.
He's got his jumbo telescope in his dome in his backyard and takes some pretty amazing photos.
So, Dylan, we're all thinking of you, mate.
And, you know, let's hope that chemo just goes in and nukes those little things in you.
And, you know, that'll be a good result.
But Adam, that is it for the week's news.
That is it for risky business for 2025.
Mate, thank you so much for everything over the whole year.
It's been a lot of fun.
We've had so much fun this year.
And I think next year is going to be even better, mate.
So thanks again, and I'll catch you in 2026.
Yeah, thanks much, Pat.
We're going into, what, the 20th year for you next year?
That's a hell of a hell of a lot of risky business.
And I'm looking forward to coming back.
20 years.
All of this, 20 years, all of this again next year.
Thanks for once, Pat.
That was Adam Boyleau there with the check of the week's security news.
Big thanks to him for that.
It is time for this week's sponsor interview now with Josh Camdue,
who is the chief executive and co-founder of Sublime Security,
which is an email security company.
So they've got a really cool email security platform.
It's very AI heavy these days, but not in a dumb way.
It works actually quite well because they actually built a product that just happened to be well-suited
to have AI bolted onto it later.
But we're not talking about AI in this interview.
What we're talking about is fishing crews are going absolutely wild with trying to spam people with calendar invitations,
mostly ICS format, getting these calendar invitations into people's calendars
so that with phone numbers in them saying call this number,
and then the targets will actually ring the number and get talked through installing malicious software onto their systems,
and then the attackers get access from there.
Now, the reason this is interesting from an email security provider point of view is twofold, right?
First of all, sometimes that email will come in.
It gets detected and removed from the inbox, but the calendar entry doesn't, right?
So sublime have had to work out new features for their platform where they can actually reach in and remove these calendar entries.
So you hear Josh talk about that.
And the other thing that's interesting is that between two tenants in the same provider, like Gmail to Gmail,
or 0365 to 0365, you can actually do calendar invitations without involving email at all
through various mysterious undocumented APIs, as is the way in 2025.
So, yeah, there's a bunch of interesting stuff to talk about here.
So here is Josh Camdew talking about how the bad guys are using ICS fishing.
Enjoy.
What we're seeing most by volume is what we call callback fishing, or some folks call it toads,
which stands for telephone-oriented attack delivery.
That's a hell of a backronym.
I mean, you know, hat tip to whoever came up with that one.
That is.
Which if you, everyone has seen these.
Like the traditional one is the Norton, your Norton antivirus has expired.
And you need to call this number to, you need to call the help desk or customer support
in order to renew your antivirus.
you know, like there's lots of different themes, but that's the general, that's a general
attack delivery mechanism. It's a phone number that the end user calls, which is quite clever
because they end up getting on the phone with a scammer and they direct them to go and
download. Usually it's malware, is what they have them go download. It's like a rat. Sometimes
it's like legitimate remote software tooling that's help desk,
IT will use, but then they do lots of nefarious things once they get access. So it's less about,
like, give us your credit card number to renew your subscription and more about like, yeah,
download this tool and then onwards they go from there. Yes, yes. Yeah, that's generally the
intent behind callback fishing. And we, and that's not a new attack type. It's been happening for
years and we've got lots of, lots of, we've written a lot about that on our blog and whatnot.
So that's by volume what we see the most in terms of what they're trying to deliver. But the
second most is what you alluded to, which is credential fishing attacks. So there is a,
there's a link that it is a link embedded in the calendar invite that will take them to a credential
phishing page and it'll try and steal your Microsoft credentials or whatever credentials they
might be interested in. Now, you mentioned that, you know, most of these ICS invites,
they turn up via email. And you're going to see them, but you're an API-based
product. Most of the time you're deployed as an API-based product. So you'll see it after it's delivered
and go, whoop, remove that from the inbox. But then there was this issue where, well, because you didn't
stop it from actually hitting the inbox, it's created that calendar event. And as an email provider,
like previously, you couldn't actually then go and remove that bad calendar invite. I mean, it appears in the
calendar. It's not accepted, but it's there. I mean, we've all seen how that works. So now you've actually
had to go and develop a feature to go and remove those invites from people's calendars, right?
It's actually an issue that's plagued. The reason this has become such a talked about topic
recently is that it impacted both API solutions and email gateways because there's multiple ways
of delivering calendar invites onto the calendar. Well, I was going to go there next, right?
Which is that, you know, through this, like if you're inviting, if you're inviting someone
who's a Microsoft user from another Microsoft tenant, you could do that without email.
That's right. That's right. Is that how most people are doing it, or is most of it coming still via
email? We're seeing the vast majority is coming, includes an email because it actually gives them
two opportunities to deliver the attack. One, like to get the user to engage. It's you get,
it's basically like two attacks and one. If they miss the, if the user doesn't read the email,
then maybe they'll read the calendar invite.
And so what we built was a way to actually access the calendar and remediate the attacks on the calendar.
So we released this a couple weeks ago.
And we were always able to detect and block the attack in the inbox.
But no email solution has had any access to remediating events on the calendar,
which is why it's become such a big problem.
So we built that integration.
And now we can do both.
So we can clean those up as well.
Yeah.
So my question, my next question is really about like,
what are you doing about the ones that are delivered without email?
Are you actually in a position to detect those as well now because you've built this integration?
Or are they still a bit of a blind spot for solutions like yours?
So those are the toughest ones right now because the way that the email provides,
provider. It happens all within, there's like some protocol that, uh, that is, it's not public. It's all
happens internally within Google or Microsoft. Yeah, it all happens in the background. It's not,
there's no SMTP involved. Exactly. It's just like magically a calendar invite arrives out of the
ether, right? Yes. Yeah, exactly. So there's a couple of things with both of these attacks,
the easiest, like the most straightforward solution, obviously there's tradeoffs to this, is that you can change your
default settings for calendar invite for how your email provider actually adds invites to your calendar.
So in Google and Microsoft, there is a setting which by default defaults to and on is that any
recipient, even if you've never spoken to them before, can send you an invite and get it
auto added to the calendar. And so in Google, you actually have some amount of fine
control over this where there's a couple different settings. You can say, one, if it's an untrusted
sender is what they call it, which is someone you've never communicated before, or you could
just not allow it at all, and then you have to accept the invite. So if you've got that setting
turned off, then the email provider will actually force an email to be sent. Okay, which is what they
should be doing in the first place. Which is how it should have. Yeah, yeah. Exactly. So when you,
when you turn that off, it will actually force an email to actually arrive in the inbox. So it's not
like you're, you're going to get people trying to send you a calendar invite through this non-smtip
mechanism and it will just disappear. It won't work. It won't work or it will generate an email and
that's how the invite gets sent. It generates an email. Yeah, exactly. Okay, okay, cool. Yeah,
yeah. It forces the, it forces the attacker to actually send an email in,
in that case. Yeah. I mean, it's it's less good though, right? Because when I think about how my calendar
flows work, you know what I mean? Like, I like to be able to see those like grade out appointments on
my calendar and go, oh, what's this? Oh, I haven't accepted that. Click okay, right? That's the,
that's the big tradeoff and why a lot of our customers have not actually changed that setting is
because it's an impact to productivity. It really is and convenience and all these things. And so
there is real impact to the end user experience, which is a legitimate consideration, right?
And so...
I mean, the obvious solution here is for the email providers when they add something to a calendar
through this non-SMTP method to generate an email anyway.
Yes, yes.
That makes detection and prevention much easier.
The other thing that we're doing for...
Really, this is more so for the broader community, is that we're building...
We're open sourcing a playbook, basically.
It's going to be like a series of like API integrations so that you can, even if you're not using sublime.
And, you know, we've got sublime runs, you can run sublime core is free for the community.
But, you know, even for some organizations, like it's hard to get approval for that.
So what we're doing is making a, because it's such a problem right now, we're building an open sourcing a tool.
to allow teams to be able to remediate calendar invites in either scenario.
So, like, even if you've got whether it's email delivered or not, and whether you're using
sublime or not.
So how are you actually determining whether or not a calendar invite is malicious if it didn't
generate an email, like if it just appeared on someone's calendar?
So if it's just appearing on the calendar, then what you would have to do is you basically take
that you take the ICS, basically the format of the calendar invite, and the simplest thing that we
could do is turn that into like a mock email and then pass it through our detection pipeline
that's like, and then be able to analyze it. And that'll have a look at the URLs and whatever
and give you a, yeah, yeah. Yeah, but for IR teams that are just, because a lot of the pain right
now is actually just, there's, there's a lot of attacks getting through that they have no ability
to actually go and clean up.
It's very difficult to go and clean up.
And a lot of times you actually know
what you need to go and clean up.
So this, what we're open sourcing,
you can just like give it a message ID
or you tell it where to go
and it'll go and clean it up for everyone.
So yeah, that we're, that should be coming soon.
But the thing that we built and released within the platform
is actually really slick because there's nothing
that you have to do is you just,
all just automatically. If we detect an attack, we will automatically go and also clean up the
calendar invite. There's nothing more that you have to do. Yeah, it's just those ones that are not
generating emails that are still going to be a problem, right? Yeah, yeah. And so we're cooking up
some things there as well as a harder, harder problem with less visibility, but we're working
on some things for the things that are only living on the calendar as well. Yeah. So talk to me about
the scale of this though, because you shared a graph with me recently about like how much of this
ICS fishing is happening and it is absolutely insane. It's like you said it reminds you of when a
couple of years ago QR code fishing became the big hot thing. This is like the new QR code thing,
right? Like give us an indication of the volumes involved here. Yes. So we have seen at this point,
it's over 100x increase in volume in in ICS fishing. And it's very similar to you. And the, the
The key thing, similar to QR code fishing, QR code fishing was not a new thing when we initially started to see it again and we started to see the uptick and it started to cause a lot of problems.
ICS fishing is not a new technique. It has existed for years and years. So what I anticipate has happened is that it's made its way into commoditized tools like fishing as a service kits and whatnot.
It's along the same lines as we're talking about the anthropic report and how it's only a matter of time before more and more of these make it into commoditized services that you can just buy as a random criminal Joe off the street and not have to build and innovate yourself.
Yeah, and we'd have to say too, one of the powerful things about sublime is that it is a very flexible platform which allows you to quickly and rapidly respond.
two big trends like this, which has been a bit of a challenge for some of the commodity providers.
That is one of this, like the fundamental thesis of sublime is that the threat landscape is going
to continue to rapidly evolve and you'll see new techniques and you'll see more and more
attacks at higher speed and velocity and scale and sophistication. And you have to be able to
adapt rapidly, whether it's be able to, um, like re-educate the agents that you have making decisions
or the core of the detection pipeline or these things. It's, it's how we built sublime to be able
to adapt to the moving threat landscape. Yeah. And as I mentioned, of the intro there,
sublime has absolutely gone berserk. I think you've gone from like 10 or 20 staff when you first
started out with us to like 200 now. You've just closed a 150,
million dollar dollar series C so yes it seems to be an approach that is being validated
Josh Camdrew thank you so much for joining me to talk about that's very interesting stuff
thanks pat that was Josh Camdrew from sublime security there big thanks to him for that and
big thanks to sublime security for being a risky business sponsor and that is it for the show
for 2025 I do hope you enjoyed it I do hope you enjoyed listening to it as much as we
enjoyed putting it together for you.
Big thanks to the entire risky business crew.
So we got Tom Uren,
Catalan Kimpanu, Adam Bwarlow, Ambly Jack,
Tieran Ferrier, Claire aired, just everyone.
You know, absolutely, absolutely terrific work from all of you.
And, yeah, looking forward to working with you all again through 2026.
And, yeah, thanks for listening, everybody.
Cheers.