Risky Business #819: Venezuela Blames US for PDVSA Wiper Attack, React2Shell, and More
The final Risky Business show of 2025 covers Venezuela's state oil firm PDVSA blaming the US for a ransomware/wiper attack, ongoing React2Shell exploitation, and Microsoft finally disabling RC4 in Active Directory Kerberos.
In the final episode of 2025, the Risky Business podcast with Patrick Gray and Adam Boileau covered a wide range of cybersecurity stories, including the controversial claim by Venezuela's state oil company PDVSA that the United States was behind a ransomware and wiper attack against its systems. The attack, which disrupted operations at the state-owned firm, has been attributed by Venezuelan officials to US cyber operations, though independent verification remains elusive. The episode also highlighted the ongoing exploitation of React2Shell vulnerabilities across multiple sectors, with attackers leveraging the flaw to compromise servers running React-based applications.
Another major topic was the combination of OAuth consent phishing with social engineering and Azure CLI, a technique that allows attackers to hijack OAuth grants and gain persistent access to cloud environments. The show noted that this attack vector is increasingly being used in targeted campaigns against Microsoft 365 tenants. Additionally, Microsoft announced it will finally disable the RC4 cipher by default in Active Directory Kerberos, closing a decades-old weakness that has been exploited in various attacks.
The episode also covered the discovery of a critical vulnerability in Traefik, a popular reverse proxy and load balancer. The flaw, tracked as CVE-2025-66491, involves the TLS `verify=on` setting actually disabling TLS verification, leaving connections vulnerable to man-in-the-middle attacks. The show noted that this is a particularly dangerous bug because it undermines the security guarantees that administrators expect from the configuration.
Other stories discussed include the indictment of a Russian state-sponsored hacker for targeting a car wash and a fountain, as well as a suspected cyber attack on the German parliament during a visit by Ukrainian President Volodymyr Zelenskyy. The show also touched on the arrest of a senior manager for a government contractor in a cybersecurity fraud scheme, and the revelation that most parked domains are now serving malicious content.
The episode was sponsored by Sublime Security, whose CEO Josh Kamdjou discussed the growing threat of calendar invite phishing and the challenges of remediating such attacks. The Risky Business weekly show is taking a holiday break and will return on January 14, 2026, for its twentieth year.