Security Now Episode 1070: CISA's Free Internet Scanning – Malware Disguised as a VPN

Date: March 18, 2026
Hosts: Steve Gibson & Leo Laporte

Episode Overview

This week, Steve Gibson and Leo Laporte dive into a wide range of current cybersecurity issues, with a central focus on the U.S. CISA's (Cybersecurity and Infrastructure Security Agency) free Internet vulnerability scanning services and how organizations—even small ones—can benefit. They explore new threats like malware disguised as VPN installers, alarming proxy abuses impacting home routers, industry pivots away from end-to-end encryption, as well as the evolving AI-coding landscape. Steve also gives a firsthand tour of his experience signing up for and receiving results from CISA's proactive service.

Key Discussion Points and Insights

1. Photo of the Week & Caption Contest

[02:51] Steve shares a complex, chaotic image of a telephone pole overloaded with tangled wires and invites listeners to submit humorous captions.
- “When I was growing up, we would have called this a rat’s nest.” – Steve Gibson [13:31]
Crowd participation: 2,191 responses from fans offering suggested captions.
[15:44] Leo and Steve discuss how such spontaneous infrastructure chaos is symptomatic of deeper, systemic maintenance issues.

2. Major Social Platforms Retreat from Encryption

[15:44] TikTok and Meta (Instagram) back off end-to-end encryption.
- “Meta has announced plans to discontinue support for end to end encryption for chats on Instagram after May 8, 2026.” – Steve quoting Hacker News [15:44]
- Very few actually used end-to-end encrypted Instagram DMs; Meta says use WhatsApp for that.
Broader implication: Major platforms quietly step away from universal encryption, citing content moderation, child safety, and legal pressures.
- Steve’s take: Most ordinary users don’t care—Signal and Telegram remain options for the privacy-minded.
- “The right solution...simply not to bother with it and no one will much care.” – Steve [26:50]
WhatsApp introduces new parent-managed accounts for preteens: settings, group controls, but message content remains private.

3. Proxy Malware: Your Bandwidth as a Cybercrime Tool

[29:10] Home routers are being targeted by botnets to create “residential proxies”—letting attackers mask origins for criminal activities.
Example: 'SOCKS Escort' proxy provider infiltrated 369,000+ devices, earning >€5M; takedown coordinated by FBI, Europol.
- Such services are rented to facilitate ransomware, DDoS, CSAM distribution, and more.
- Contrast with (somewhat) more above-board “consumer bandwidth proxying” via Bright Data or smart TV APIs.
Technical discussion:
- Attackers often use malware to access router firmware, establishing persistence.
- Detection is tough for non-technical users (“You'd need Steve to come over!”).
- “The reason I pause there is that all the ways I could think of required you to know Linux.” – Steve [37:00]
- Rebooting or re-flashing routers may eliminate such malware.

[36:15]
Key advice:

Never expose external management interfaces of routers to the Internet.
Stick to outbound connections with tools like Tailscale.

4. EU Chat Control & Legislation Update

[45:10] EU Parliament extends “voluntary chat control”—providers may scan for CSAM, but must preserve end-to-end encryption and limit scanning to suspected cases.
- No agreement reached for mandatory or long-term surveillance.
- Restricts use of error-prone technologies like AI for detection.
Steve sees this as a middle ground and potentially the best that can be achieved for now.
- “The good news is that saner heads prevailed... they at least didn't move anything backward.” – Steve [52:11]

5. Ransomware Negotiator as Attacker—True Crime in Cybersecurity

[57:27] Wild story: Digital Mint, a firm brought in for ransomware negotiations, discovered their negotiator was the attacker too!
- “A 41 year old South Florida man is accused of conducting at least 10 ransomware attacks—and helping accomplices extort $75M—while working as a ransomware negotiator for Digital Mint.” – Steve [57:27]
- He played both sides, knew exactly how much victims would pay, and profited massively until caught.

6. CISA Orders Log Aggregation from Federal Cisco SD-WAN Devices

[62:19] Following a critical SD-WAN bug exploited since 2023, CISA compels federal agencies to upload logs to analyze for breaches.
- Steve draws the parallel: most organizations have no idea if they're breached. CISA’s approach is to centralize and assess logs.

7. VPN Malware via SEO Poisoning (Storm-2561)

[65:23] Sophisticated campaign:
- Fake VPN installers (Pulse, Fortinet, Ivanti) distributed via top-ranked search results and GitHub repos.
- Digitally signed with a legitimate (now revoked) certificate.
- Installer matches the real directory structure, avoids detection, and steals VPN credentials.
- “The malicious components are digitally signed…this abuse of code signing serves multiple purposes: it bypasses default Windows warnings…reduces security tool alerts... and provides false legitimacy.” – Steve [74:40]
Bottom line: Only download VPN software and AI tools from official, first-party sources.

8. The Rise of Malicious, Sponsored AI ‘Installer’ Ads

[81:05] Google sponsored results for “download Claude code” return malicious sites masquerading as legitimate.
- “The first sponsored result that comes up is malicious—and because Google…who would not trust this?” – Steve [81:09]
- Applies just as much to support numbers.

9. Zombie ZIP Malware: A Simple AV Bypass

[87:56] Researcher Christopher Aziz’s “ZombieZIP” trick:
- Modifies ZIP header to store compressed data as if it were uncompressed.
- 98% of AV engines skip inspection, letting malware pass undetected.
- “50 out of 51 AV engines on VirusTotal were fooled…only Kingsoft detected it.” – Steve [88:38]
- Used for staged malware delivery; requires special loaders to unpack.

###10. The State and Future of AI Coding

[93:02+] Listener questions: Will Steve use AI to write code?
- Steve: Not yet—doesn’t trust code he hasn’t written and fully understood himself, especially for mission-critical use.
- “I judge it by whether it’s as good as I am capable of making it. That is my standard.” – Steve [104:01]
Shared perspectives:
- [112:15] Uncle Bob Martin: AIs are stochastic, will break tests, and require heavy over-constraint (lots of tests, small units) to maintain stability.
- “AIs are stochastic…they apologize and swear they won’t do it again. But they can’t really make that promise. They are, in the end, liars and cheats.” – Uncle Bob via Steve [113:19]
Listeners on the flip side: AI enables semi-technical people to vastly exceed their prior capabilities (e.g., integrating home automation, managing a home network, personal coding tools).

Main Topic: CISA’s Free Internet Scanning

[134:20, topic deep-dive begins]

What is It?

CISA Cyber Hygiene Service: Proactive, free, periodic Internet scanning of the public IP addresses of U.S.-based organizations and commercial enterprises.
- Eligibility: Not just government; includes commercial, nonprofit, and “infrastructure” in a broad sense.
- Steve: “Based upon my experience, I would hazard to imagine that a great many of our U S based listeners who are in charge of their own small, medium and even large enterprise networks…would be able to similarly qualify.” [135:33]

How to Enroll:

Email: vulnerability@cisa.dhs.gov with subject: “Requesting Cyber Hygiene Services.”
Complete sign-up via login.gov, fill out quick (not intrusive) forms with proof of control over IPs.
Enrollment processed swiftly—Steve applied Saturday, got a reply and acceptance by Monday morning.

What Happens Next:

CISA begins scanning immediately (unless you specify otherwise).
Reports include urgent vulnerabilities, breakdowns by severity, known exploitation status, ransomware linkage, affected host/IP/port, etc.
Re-scan frequency increases if issues are found (every 12 hours for criticals, weekly if clean).
- “Hosts with critical severity vulnerabilities are rescanned every 12 hours…Hosts with no vulnerabilities detected are rescanned every seven days.” [146:50]

Steve’s Hands-on Results:

CISA found only one issue: legacy triple-DES cipher suites enabled on GRC’s web servers.
- Issue is theoretical (SWEET32—requires ~18 hours and 700GB over a single TLS connection).
- “Not a real problem…but I very much appreciate the reminder nudge from CISA.” [148:45]
- Steve promptly tweaked server settings.
Steve received detailed PDF reports, including charts, remediation advice—replacing a $6,000/year commercial scan service (per a listener’s experience).

Key Takeaways:

No downside: Only public IPs/services are scanned—no insider access, and all findings are things adversaries could see.
Continuous vigilance: Unexpected exposures and misconfigurations happen, especially in complex environments or after personnel changes.
- “Why wouldn’t everyone wish to avail themselves of this entirely sane zero cost service offered by an agency of our federal government?” – Steve [134:20]
Publicly-available code: CISA’s scanning tools are open source, on GitHub as ‘cyhy’.

[156:46]
Steve’s motto of the day:

“You won’t know what might surprise you until you do.” – Steve Gibson

Notable Quotes & Moments

“You don’t want your IP associated with all kinds of dastardly deeds on the Internet.” – Steve [35:09, on proxy attacks]
“You love to write code—write code! Why not? …But I’m not sure I fully agree with this tweet because [with AI] code is so cheap you refactor…That’s not what happens—or shouldn’t.” – Leo [106:17, AI code debate]
“Surprise! SciPase found the GitHub repo for all this stuff… It’s a lot of shell scripts. There’s Shell and Python.” – Leo [157:22]
“The listener who put me on to this noted that this replaced for their insurance provider a service that they’d been paying $6,000/yr for—and that was an annual scan.” – Steve [157:48]

Timestamps for Key Segments

| Segment | Timestamp | |---------|-----------| | Photo of the Week + Caption Contest | 02:51 | | Encryption Retreat by Platforms | 15:44 | | Proxy Malware on Routers | 29:10 | | EU Chat Control Update | 45:10 | | Ransomware Negotiator/Attacker | 57:27 | | CISA Cisco SDWAN Mandate | 62:19 | | VPN Malware SEO Campaign | 65:23 | | Fake AI Installers in Sponsored Results | 81:05 | | Zombie ZIP Malware Trick | 87:56 | | AI Coding Debate & Listener Letters | 93:02 – 128:23 | | CISA Free Internet Scanning Deep Dive | 134:20 – 158:54 |

Final Thoughts

Steve’s enthusiastic endorsement of CISA’s free Internet scanning is a highlight—underscoring its value, ease of use, and the surprising breadth of eligibility. The episode offers not only clear and timely threat intelligence but also practical takeaways, from securing home routers to vetting downloads and leveraging governmental resources. The show, as always, balances real-world cyber risks with wit, wisdom, and a little levity.

“Win, win, win, win, win.” – Steve Gibson [156:46]

Security Now Episode 1070: CISA's Free Internet Scanning – Malware Disguised as a VPN

Date: March 18, 2026
Hosts: Steve Gibson & Leo Laporte

Episode Overview

Key Discussion Points and Insights

1. Photo of the Week & Caption Contest

[02:51] Steve shares a complex, chaotic image of a telephone pole overloaded with tangled wires and invites listeners to submit humorous captions.
- “When I was growing up, we would have called this a rat’s nest.” – Steve Gibson [13:31]
Crowd participation: 2,191 responses from fans offering suggested captions.
[15:44] Leo and Steve discuss how such spontaneous infrastructure chaos is symptomatic of deeper, systemic maintenance issues.

2. Major Social Platforms Retreat from Encryption

[15:44] TikTok and Meta (Instagram) back off end-to-end encryption.
- “Meta has announced plans to discontinue support for end to end encryption for chats on Instagram after May 8, 2026.” – Steve quoting Hacker News [15:44]
- Very few actually used end-to-end encrypted Instagram DMs; Meta says use WhatsApp for that.
Broader implication: Major platforms quietly step away from universal encryption, citing content moderation, child safety, and legal pressures.
- Steve’s take: Most ordinary users don’t care—Signal and Telegram remain options for the privacy-minded.
- “The right solution...simply not to bother with it and no one will much care.” – Steve [26:50]
WhatsApp introduces new parent-managed accounts for preteens: settings, group controls, but message content remains private.

3. Proxy Malware: Your Bandwidth as a Cybercrime Tool

[29:10] Home routers are being targeted by botnets to create “residential proxies”—letting attackers mask origins for criminal activities.
Example: 'SOCKS Escort' proxy provider infiltrated 369,000+ devices, earning >€5M; takedown coordinated by FBI, Europol.
- Such services are rented to facilitate ransomware, DDoS, CSAM distribution, and more.
- Contrast with (somewhat) more above-board “consumer bandwidth proxying” via Bright Data or smart TV APIs.
Technical discussion:
- Attackers often use malware to access router firmware, establishing persistence.
- Detection is tough for non-technical users (“You'd need Steve to come over!”).
- “The reason I pause there is that all the ways I could think of required you to know Linux.” – Steve [37:00]
- Rebooting or re-flashing routers may eliminate such malware.

[36:15]
Key advice:

Never expose external management interfaces of routers to the Internet.
Stick to outbound connections with tools like Tailscale.

4. EU Chat Control & Legislation Update

[45:10] EU Parliament extends “voluntary chat control”—providers may scan for CSAM, but must preserve end-to-end encryption and limit scanning to suspected cases.
- No agreement reached for mandatory or long-term surveillance.
- Restricts use of error-prone technologies like AI for detection.
Steve sees this as a middle ground and potentially the best that can be achieved for now.
- “The good news is that saner heads prevailed... they at least didn't move anything backward.” – Steve [52:11]

5. Ransomware Negotiator as Attacker—True Crime in Cybersecurity

[57:27] Wild story: Digital Mint, a firm brought in for ransomware negotiations, discovered their negotiator was the attacker too!
- “A 41 year old South Florida man is accused of conducting at least 10 ransomware attacks—and helping accomplices extort $75M—while working as a ransomware negotiator for Digital Mint.” – Steve [57:27]
- He played both sides, knew exactly how much victims would pay, and profited massively until caught.

6. CISA Orders Log Aggregation from Federal Cisco SD-WAN Devices

[62:19] Following a critical SD-WAN bug exploited since 2023, CISA compels federal agencies to upload logs to analyze for breaches.
- Steve draws the parallel: most organizations have no idea if they're breached. CISA’s approach is to centralize and assess logs.

7. VPN Malware via SEO Poisoning (Storm-2561)

[65:23] Sophisticated campaign:
- Fake VPN installers (Pulse, Fortinet, Ivanti) distributed via top-ranked search results and GitHub repos.
- Digitally signed with a legitimate (now revoked) certificate.
- Installer matches the real directory structure, avoids detection, and steals VPN credentials.
- “The malicious components are digitally signed…this abuse of code signing serves multiple purposes: it bypasses default Windows warnings…reduces security tool alerts... and provides false legitimacy.” – Steve [74:40]
Bottom line: Only download VPN software and AI tools from official, first-party sources.

8. The Rise of Malicious, Sponsored AI ‘Installer’ Ads

[81:05] Google sponsored results for “download Claude code” return malicious sites masquerading as legitimate.
- “The first sponsored result that comes up is malicious—and because Google…who would not trust this?” – Steve [81:09]
- Applies just as much to support numbers.

9. Zombie ZIP Malware: A Simple AV Bypass

[87:56] Researcher Christopher Aziz’s “ZombieZIP” trick:
- Modifies ZIP header to store compressed data as if it were uncompressed.
- 98% of AV engines skip inspection, letting malware pass undetected.
- “50 out of 51 AV engines on VirusTotal were fooled…only Kingsoft detected it.” – Steve [88:38]
- Used for staged malware delivery; requires special loaders to unpack.

###10. The State and Future of AI Coding

[93:02+] Listener questions: Will Steve use AI to write code?
- Steve: Not yet—doesn’t trust code he hasn’t written and fully understood himself, especially for mission-critical use.
- “I judge it by whether it’s as good as I am capable of making it. That is my standard.” – Steve [104:01]
Shared perspectives:
- [112:15] Uncle Bob Martin: AIs are stochastic, will break tests, and require heavy over-constraint (lots of tests, small units) to maintain stability.
- “AIs are stochastic…they apologize and swear they won’t do it again. But they can’t really make that promise. They are, in the end, liars and cheats.” – Uncle Bob via Steve [113:19]
Listeners on the flip side: AI enables semi-technical people to vastly exceed their prior capabilities (e.g., integrating home automation, managing a home network, personal coding tools).

Main Topic: CISA’s Free Internet Scanning

[134:20, topic deep-dive begins]

What is It?

CISA Cyber Hygiene Service: Proactive, free, periodic Internet scanning of the public IP addresses of U.S.-based organizations and commercial enterprises.
- Eligibility: Not just government; includes commercial, nonprofit, and “infrastructure” in a broad sense.
- Steve: “Based upon my experience, I would hazard to imagine that a great many of our U S based listeners who are in charge of their own small, medium and even large enterprise networks…would be able to similarly qualify.” [135:33]

How to Enroll:

Email: vulnerability@cisa.dhs.gov with subject: “Requesting Cyber Hygiene Services.”
Complete sign-up via login.gov, fill out quick (not intrusive) forms with proof of control over IPs.
Enrollment processed swiftly—Steve applied Saturday, got a reply and acceptance by Monday morning.

What Happens Next:

CISA begins scanning immediately (unless you specify otherwise).
Reports include urgent vulnerabilities, breakdowns by severity, known exploitation status, ransomware linkage, affected host/IP/port, etc.
Re-scan frequency increases if issues are found (every 12 hours for criticals, weekly if clean).
- “Hosts with critical severity vulnerabilities are rescanned every 12 hours…Hosts with no vulnerabilities detected are rescanned every seven days.” [146:50]

Steve’s Hands-on Results:

CISA found only one issue: legacy triple-DES cipher suites enabled on GRC’s web servers.
- Issue is theoretical (SWEET32—requires ~18 hours and 700GB over a single TLS connection).
- “Not a real problem…but I very much appreciate the reminder nudge from CISA.” [148:45]
- Steve promptly tweaked server settings.
Steve received detailed PDF reports, including charts, remediation advice—replacing a $6,000/year commercial scan service (per a listener’s experience).

Key Takeaways:

No downside: Only public IPs/services are scanned—no insider access, and all findings are things adversaries could see.
Continuous vigilance: Unexpected exposures and misconfigurations happen, especially in complex environments or after personnel changes.
- “Why wouldn’t everyone wish to avail themselves of this entirely sane zero cost service offered by an agency of our federal government?” – Steve [134:20]
Publicly-available code: CISA’s scanning tools are open source, on GitHub as ‘cyhy’.

[156:46]
Steve’s motto of the day:

“You won’t know what might surprise you until you do.” – Steve Gibson

Notable Quotes & Moments

“You don’t want your IP associated with all kinds of dastardly deeds on the Internet.” – Steve [35:09, on proxy attacks]
“You love to write code—write code! Why not? …But I’m not sure I fully agree with this tweet because [with AI] code is so cheap you refactor…That’s not what happens—or shouldn’t.” – Leo [106:17, AI code debate]
“Surprise! SciPase found the GitHub repo for all this stuff… It’s a lot of shell scripts. There’s Shell and Python.” – Leo [157:22]
“The listener who put me on to this noted that this replaced for their insurance provider a service that they’d been paying $6,000/yr for—and that was an annual scan.” – Steve [157:48]

Timestamps for Key Segments

Final Thoughts

“Win, win, win, win, win.” – Steve Gibson [156:46]

SN 1070: CISA's Free Internet Scanning - Malware Disguised as a VPN

Summary

Security Now Episode 1070: CISA's Free Internet Scanning – Malware Disguised as a VPN

Episode Overview

Key Discussion Points and Insights

1. Photo of the Week & Caption Contest

2. Major Social Platforms Retreat from Encryption

3. Proxy Malware: Your Bandwidth as a Cybercrime Tool

4. EU Chat Control & Legislation Update

5. Ransomware Negotiator as Attacker—True Crime in Cybersecurity

6. CISA Orders Log Aggregation from Federal Cisco SD-WAN Devices

7. VPN Malware via SEO Poisoning (Storm-2561)

8. The Rise of Malicious, Sponsored AI ‘Installer’ Ads

9. Zombie ZIP Malware: A Simple AV Bypass

Main Topic: CISA’s Free Internet Scanning

What is It?

How to Enroll:

What Happens Next:

Steve’s Hands-on Results:

Key Takeaways:

Notable Quotes & Moments

Timestamps for Key Segments

Final Thoughts

Summary

Security Now Episode 1070: CISA's Free Internet Scanning – Malware Disguised as a VPN

Episode Overview

Key Discussion Points and Insights

1. Photo of the Week & Caption Contest

2. Major Social Platforms Retreat from Encryption

3. Proxy Malware: Your Bandwidth as a Cybercrime Tool

4. EU Chat Control & Legislation Update

5. Ransomware Negotiator as Attacker—True Crime in Cybersecurity

6. CISA Orders Log Aggregation from Federal Cisco SD-WAN Devices

7. VPN Malware via SEO Poisoning (Storm-2561)

8. The Rise of Malicious, Sponsored AI ‘Installer’ Ads

9. Zombie ZIP Malware: A Simple AV Bypass

Main Topic: CISA’s Free Internet Scanning

What is It?

How to Enroll:

What Happens Next:

Steve’s Hands-on Results:

Key Takeaways:

Notable Quotes & Moments

Timestamps for Key Segments

Final Thoughts