Breaking in with CrashFix, supply chain security, and CMMC phase 1 - David Zendzian, Anna Pham, Jacob Horne - ESW #449

13 snips

Mar 9, 2026

Guest

Jacob Horne

Jacob Horne, a defense-contracting cybersecurity evangelist familiar with CMMC and NIST, explains CMMC phase 1 enforcement and verification risks. David Zendzian, VMware Tanzu security lead, breaks down SBOMs and continuous compliance for supply chain security. Anna Pham, Huntress threat hunter and malware reverser, dissects the CrashFix/ClickFix browser-extension attack and its clipboard‑paste trickery.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

ANECDOTE

Malicious Adblocker Copied uBlock Code To Hide Malicious Logic

Anna found the malicious extension by inspecting its JavaScript and discovered it blended open-source uBlock code with hidden malicious logic.
The extension intentionally delayed visible symptoms so users wouldn't link the crash to the recent install.

INSIGHT

Attackers Tailor Payloads Based On Domain Membership

Enterprise targets get different payloads: domain-joined hosts are often given tools to escalate in AD, while consumer hosts receive credential stealers or RATs.
CrashFix adapts behavior based on domain membership to prioritize enterprise compromise.

ADVICE

Lock Down Browsers And Whitelist RMM Tools

Reduce extension risk by using enterprise browsers or lockdown policies that enforce default deny for installs.
Whitelist only approved RMM tools and block arbitrary extensions on corporate machines.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Interview with Anna Pham

Breaking in with ClickFix: Anatomy of a modern endpoint attack

Cybersecurity company Huntress just published a report on a new ClickFix variant they've discovered, which they've dubbed CrashFix. This technique was developed by KongTuke to serve as the primary lure within a new custom malicious browser extension also created by the group.

In short, the team observed the threat actors using KongTuke's malicious browser extension to display a fake security warning, claiming the browser had "stopped abnormally" and prompting users to run a "scan" to remediate the threats. Upon "running the scan," the user is presented with a fake "Security issues detected" alert and instructed to manually "fix" the issue by opening the Windows Run dialog, pasting from their clipboard, and pressing Enter.

The malicious extension silently copies a PowerShell command to the clipboard, disguised as a legitimate repair command. From there, they execute the malicious command.

Segment Resources:

BLOG - Dissecting CrashFix: KongTuke's New Toy

Interview with David Zendzian

Continuous compliance and real security lifecycle management

Supply chain attacks are not just on the rise; attackers are learning from the past, making these attacks even more effective and dangerous than before. It was just over a month ago when the Shai-Hulud attack first impacted NPM packages, forcing enterprises around the world into lockdown. While only 187 packages were compromised in that initial incident, it served as a wake-up call for many: an accurate inventory of systems is good, but a clear, real-time Software Bill of Materials (SBOM) for applications is non-negotiable.

In this world of manifest based infrastructure and container based applications with (real) "devsecops", the dream of continuous upgrades of OS/Runtime/Stack/App and App Dependencies is very mature and there are solid examples of companies and federal entities managing this at scale without thousands of teams and people.

Segment Resources:

BLOG - Supply Chain Security: How accurate SBOMs can deliver proactive threat mitigation

Interview with Jacob Horne

CMMC Phase 1 Enforcement — What the November 10 Deadline Means for the Defense Supply Chain

With the upcoming CMMC Phase 1 enforcement on November 10, cybersecurity teams across the defense and federal supply chain are facing new compliance requirements that directly affect contract eligibility and data-protection standards. Jacob Horne, Chief Cybersecurity Evangelist at Summit 7, can break down what this milestone means for enterprise security leaders, MSPs/MSSPs, and contractors preparing for audits.

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw-449