Season 1 | Episode 2
Get ready for Episode 2 of Hacking Exposed, Qwiet Edition!
Stu McClure, Chris Hatter, Chetan Conikee, and Ben Denkers are back.
In this episode, the discussion touches on:
- the Microsoft hack, and how the company is handling it
- more MOVEit victims
- why passwords and tokens are just plain dumb
- the hidden harms of logo-posting
- whether you can trust criminals who exploit trust
Resources for this episode:
TechCrunch on the Microsoft hack.
An update from cybersecuritynews.com on the impact of MOVEit.
The recent executive order on cybersecurity.
- [00:00:41] Well-informed speculation abounds on the Microsoft situation.
- [00:13:50] It’s important to remember that attacks usually aren’t publicly identified the first time they work . . .
- [00:17:30] The MOVEit mess shows that outdated tech can be a cybercriminal’s best friend. Stay current on your patches!
- [00:21:28] Enumerating endpoints and determining the footprint of a target are critical elements of most successful cyberattacks. Why make those jobs easier?
- [00:23:20] What if the MOVEit debacle is just the opening salvo in a protracted campaign?
[00:00:00] Stu McClure: All right everybody. Welcome back to the Hacking Exposed Podcast Qwiet edition. I’m joined by my usual cool cohorts here and I’m super excited to cover the topics. This week there’s been some amazing stories to talk about, in particular Microsoft, more MOVEit victims, a lot of chat GPT and AI talk in and around enabling adversaries and maybe even replacing CISOs.
[00:00:41] We’ll first just kick it off with the biggest story I think we can talk about right now. We’d look like idiots if we didn’t, which is the Microsoft hack. Guys, what do you, what have you seen? What are you thinking on this one?
[00:00:53] Chris Hatter: I’ll start, so just to summarize a little bit of the attack, I think that’s a good place to, [00:01:00] to start.
[00:01:00] Essentially this is a very highly targeted attack where what Microsoft is saying is a threat actor group out of China used MSA signing tokens to forge their way into Azure AD. The compromise, I think according to Washington Post article looks like 25 total victims, nine of which were in the US
[00:01:20] Targets were US think tanks, US human rights activists. I think the biggest name that came out in that, that WaPo article was Commerce Secretary, Gina Raimondo. So very targeted, very focused on obtaining emails from the group and, ultimately I think this is a situation where there’s a lot of unanswered questions, so I’ll stop at the summary, ask what you guys think, and then weigh in myself.
[00:01:44] Stu McClure: Yeah. I’ve heard a lot more victims too. In upwards of a hundred or so, and even my alma mater, Ernst and Young was a part of that list. Chetan, who are some of the others?
[00:01:53] Chetan Conikee: We have what Microsoft reported as several government agencies have been impacted. The [00:02:00] spectrum is really wide.
[00:02:01] But they haven’t disclosed which agency of course. What alarms me more is the series of steps that the attacker took to, to touch and infiltrate. And that is something that we can speak of as we progress, but it’s somewhat an alarming wake up call for all of us, especially, given Microsoft as a cloud ecosystem, has fundamentally shifted from physical to cloud ecosystem.
[00:02:25] The most important point, or the initial point is the access to the Azure AD. Why did that happen? How did that happen and how did they manage to grant that tenant wide admin concept? It’s something that we are still uncovering at this point, but it’s interesting to know how they did.
[00:02:44] Ben Denkers: Yeah, from my perspective, Chetan, I would really like to understand how they got the signing key in the first place, right?
[00:02:48] I think they, they haven’t figured out how they’ve done that. Or they’re playing coy as it relates to, they’re continuing the investigation. And so generally for me that, that means one of two things, having done a lot of [00:03:00] IRs in the past, that either something silly happened and they don’t want to talk to it, or they fundamentally don’t understand how it happened in the first place, which I think is equally scary as well.
[00:03:11] Stu McClure: I’m gonna speculate because I’m that guy. At the end of the day, it sounds like someone got access to the, active directory, Azure Active Directory or Exchange Active Directory, God key, God credentials. Somehow. And then that was what enabled the actor to get the MSA key, the consumer version, that then they could forge these authentication tokens and then these tokens could be applied into the enterprise accounts.
[00:03:38] And of course, that was another error that Microsoft copped to, or a vulnerability, if you will. That allowed for that transfer from consumer to enterprise accounts to occur. But I’m gonna say if the threat actor that they are identifying is accurate, and who knows about that. So this is all speculation, but if it is accurate, [00:04:00] this individual or group tends to use a lot of rat type hacking and getting onto systems.
[00:04:07] And pulling from LSASS credentials in the SAM on a Windows box and my gut either is A, somebody simply social engineered the credentials outta somebody to get on. And to get access to this MSA key or they hacked into somebody that is again, has access to the top level domain keys, signing keys and authentication.
[00:04:32] And by hacking that box and getting on their computer and then dumping all their credentials, they probably could have easily done a credential reuse technique to gain access in and then pull down the key and then do whatever they want. And I’ll correct myself on the Ernst Young one.
[00:04:48] I don’t actually, Ernst Young was more the MOVEit victim, so apologies for that crossing over. But but yeah, a lot of government agencies have now I think, been a part of this mix. And so I think [00:05:00] that’s a couple of different scenarios that could easily be plausible instead of going the exotic routes of some like massive zero day in the actual root [00:05:10] certificate or root ad servers of Microsoft. So I don’t know what does that sound right guys, or,
[00:05:16] Chris Hatter: Yeah, that’s the biggest unexplained question I think. I think Microsoft has been very clear that the full first vulnerability was a validation error that allowed an MSA consumer signing key to actually access Azure AD and ultimately outlook web app and outlook.com.
[00:05:32] So I’m hopeful that we see transparency on this from Microsoft. In their analysis they’re saying that the way the initial access to the MSA signing key is still under review. And we’re, I think, at a point in time where it’s all speculation. We’re trying to figure out how that happened.
[00:05:49] And I’m hopeful that they come forward and articulate it to us. But those keys are typically held by Microsoft themselves. And so it’s gonna be very interesting to see what happened and how clearly Microsoft lays [00:06:00] that out for us when time comes.
[00:06:02] Ben Denkers: It’s certainly important from the to identify that, the significance of token security, right?
[00:06:06] Especially if there was something that they could have prevented this particular compromise from happening in the first place. But, I, again it’s no longer just about passwords, right? We have a lot of other things that we have to worry about and. I think token security oftentimes gets overlooked because it’s just on, on the backend.
[00:06:25] Chetan Conikee: And to extend your speculations Stu, to a certain extent, you have this typically in a cloud ecosystem, it’s multi-tenant. Each tenant is serving a customer, but in certain cases you have system integrators as well. And when a system integrator comes into play, they’re working with extended privileges perhaps.
[00:06:45] So this could be an attack on the system integrator as a proxy to compromise the ecosystem. But the question is, when you’re running anomaly detection, when you are white listing, why do you have to treat system [00:07:00] integrators different from your customers in your tenant? Again, speculation with just a question that comes to our mind at this point.
[00:07:07] Stu McClure: Yeah, that’s right. There could be a third party involved here for sure. It’s often the case. We’ve seen it a lot. It could be just something very simple. I think what it comes back down to, in my opinion, is like a token is a password. In effect, it’s a password. It’s a way to authenticate into a system or a service or something.
[00:07:23] And the way that we’ve developed the password system or the authentication systems are just fundamentally broke. We, anybody can take a token or anybody can take a password. And have it work even though you’re not the actual person, and we’ve just built the whole system and structure from the ground up incorrectly.
[00:07:43] I do think that AI and machine learning is gonna be an interesting play in the identity space, which no one’s really touched. Of any significance. And it’s just such an easy way to determine if you are who you say you are by looking at your behavior, conduct, activity, things of that nature.
[00:07:59] So it [00:08:00] will be interesting to see how we try to fix this in the industry. I see some startups potentially that could really help out in this world, but until then, man, we’re stuck with this stupid password. We’re stuck with these stupid tokens. API keys, these are all just garbage ways to, assume that you are who you say you are.
[00:08:17] And there’s no two way real validation there of any significance. Yeah, we’ll see about that. All right.
[00:08:22] Chetan Conikee: I’m gonna challenge you a bit on this just to close out, you said that perhaps we can go passwordless, that is the stupid tokens. But passwordless is going to emerge and bring its own set of problems with it
[00:08:35] Chetan Conikee: New problems, new day, new issues.
[00:08:39] Stu McClure: Totally. At my prior company we actually did a lot of r and d around machine learning application to identity, and we always knew that even though we were getting into that 95th percentile of. Efficacy in terms of determining the individual is who they say they are.
[00:08:55] We knew that eventually there’d be attacks on the AI [00:09:00] itself, right? There’d be attacks on the individual, their behavior as they’re expressed, and the way the models are trained and learned as well. Yeah. Yeah, I agree. There will be, there’s always the offensive counter offensive stuff. Yeah.
[00:09:12] Chris Hatter: I don’t want to close the page on this Microsoft thing just yet, because we’ve only talked about one part of what transpired, right?
[00:09:19] They forged the tokens. They got access to Azure ad, but they had to go get the emails themselves. And so there was a second vulnerability. So they were able to actually generate outlook web application tokens by abusing a design flaw. According to Microsoft, a design flaw in one of their APIs. That design flaw is also unspecified, right?
[00:09:39] So the big question on my mind is how do you get the consumer MSA signing token? And then what was this design flaw? How was it fixed and addressed? What do we all need to know as end consumers, so, 365 to fully understood, understand what Microsoft actually did to squash this.
[00:09:59] Stu McClure: So what was the api?[00:10:00]
[00:10:00] What was the api? Do you know?
[00:10:03] Chris Hatter: The actual API was get access token for resource.
[00:10:05] Stu McClure: Okay. Get access Token for resource, which was probably. Okay. So if they’re saying that was being used, so
[00:10:15] Chris Hatter: It was used to issue a new exchange online access token, if the user presented token that was provided by that API.
[00:10:23] Stu McClure: I think that’s, I could be wrong, but I think that was what I was referencing when I was talking about. You being able to get that MSA consumer key and then generate forged tokens for the enterprise. I think that was probably the API that was used to do that, and supposedly they caught that and fixed that, but we don’t know exactly what that means.
[00:10:46] Chris Hatter: Microsoft is saying. Don’t worry. All good. Here we have fixed this across all tenant environments, right? That API was the thing that was used actually for the male retrieval itself. So to be able to get, sp to the specific victim, [00:11:00] be able to get their specific emails to be able to canvas what emails they wanted to extract that API was what was abused. That ultimately led to enabling the attack.
[00:11:08] Stu McClure: Yeah, so I’ll bet you what they did. They had the MSA consumer key. They called that api. The API didn’t distinguish between a consumer key and an enterprise key and just generated the enterprise tokens to then use to get into the emails probably. Chetan. We, I can be wrong, but yeah. Okay.
[00:11:23] Chetan Conikee: If I just tie an excellent point, Chris and Stu, in fact, if I prior to what you just said, Chris to continue on Sue’s narrative, he spoke of using AI, how can we leverage ai? And to your point, Chris, four events were chained in order to make this attack successful, or three events.
[00:11:43] So the question is how do you identify routine variation from extraordinary variation? And what I mean by extraordinary variation is if you forged tokens often tokens are forged when you’re onboarding a set of employees into the ecosystem. So that is routine. So you have to identify [00:12:00] by examining data from the past.
[00:12:02] So question is when, if you are running an anomaly detection system, why didn’t it work, is the question.
[00:12:08] Stu McClure: Yeah, we’ll see. Obviously a lot of the dust has gotta settle on all this stuff and it is pure speculation until a lot of that does. Nine times outta 10 what you think it is. It probably is, and it’s probably the most simple form of whatever it is.
[00:12:21] There’s not too many exotics out there anymore, but every once in a while we’ll get an exotic technique or hack or O-day or something. So it’ll be interesting to see.
[00:12:30] Ben Denkers: To Microsoft’s credit, right? They identified it through the kind of their threat intelligence process. And it’d be interesting to see and better understand what they did in order to recognize that something was going wrong.
[00:12:40] And whether or not AI potentially played a part in that, I think would also be if we peel the onion layers back would be interesting to me.
[00:12:48] Chris Hatter: I think that Microsoft has been quite good at being transparent. I think like we’ve stated here, there are some open-ended questions that need to be answered.
[00:12:58] Overall, I like [00:13:00] the fact that they go do their analysis, they publicize it, they need to finish it off by answering some of those questions. I think for me, Microsoft was able to find this. They obviously, get a ton of information from a huge number of endpoints. They’ve got a ton of telemetry from Azure Cloud.
[00:13:15] The question is, do the end customers of Azure and or of 365. Do they have the artifacts that they need to be able to identify this in their own environment first? And I think that is an open question, right? Because anyone who’s ever been a customer of Microsoft, you know that ultimately what they want to position you into is getting the E5 license.
[00:13:36] All you can eat, replace everything with Microsoft. My big question on this, and I, we don’t know exactly who the victims are, but did they have enough resources at their disposal to be able to identify this themselves? Or was this something holding Microsoft could have found?
[00:13:50] Ben Denkers: I think that’s a really important point.
[00:13:51] Along the lines of, is this the first time it’s happened, right? They, Microsoft’s identified it, but generally speaking, attacks themselves [00:14:00] happen quite significantly before they’re even identified so
[00:14:03] Stu McClure: Well, and there is history of this threat actor group using tokens in the past that have been acquired on the endpoints, at least through their malware attacks.
[00:14:13] It. Who knows it, it could be. But I do wanna go on record as applauding Microsoft for getting this information as little as it is out there to the world as best we can. I did learn that, and I didn’t know this, but there, I guess there are tiers of subscription that would provide you with the right logging and therefore the right artifacts to catch it for yourself.
[00:14:35] But apparently it’s not universal, I wonder if that’s true. I think Microsoft should really think about allowing at least that feature to be universally available with all subscriptions because I, like we all know it takes a village. We all have to be able to be really. On top of our game, every single installation and administration trying to find these kind of [00:15:00] adversarial attacks as we go along in just the sea of activity.
[00:15:06] Chris Hatter: This is a super interesting dilemma because on, on one hand you have the White House, the administration saying, Hey, build all your products, security by design and enable your customers to be able to build their own effective security measures and stuff like that. From the Microsoft point of view, they’re running a business.
[00:15:22] So if you think that they can give everyone Azure Sentinel log ingestion, storage, all this kind of stuff for free, that’s relatively impractical just from a dollars and cents standpoint. But what is the creative solution to be able to give, customers think small business, think medium business.
[00:15:41] At the end of the day to do instant response digital forensics, you need logs. Those logs have to be stored. They have to be stored for some period of time that makes sense. None of that stuff’s free in our world right now. And so the big question in my mind is like, how can we enable enterprises, mid-market, [00:16:00] small business with resources that they need to defend themselves?
[00:16:02] Without forcing them to break the bank or move up some sort of tiered structure What’s the way? And I don’t have a good answer to that, but I think that’s what Microsoft consistently struggles with. Trying to be able to service, all of their end customers, but also trying to run a business at the same time.
[00:16:20] Stu McClure: Yeah. Yeah. There. It’s a big challenge. Anything else guys on Microsoft we wanna share at this point? Obviously we’ll stay on top of it as best we can over the days and weeks and report out what we see and speculate as we do.
[00:16:32] Chris Hatter: Yeah, I think we dig in as soon as we get the latest update from Microsoft whenever that does come through about the msa signing token and some of the vulnerability fixes that they put out there.
[00:16:44] Stu McClure: Think all right, we’ll track on that. All right, next MOVEit. This seems to just not go away like a bad penny. Just keep popping up left and right. We identified this at one of our last calls, sequel injection vulnerability. I don’t know if you have any more [00:17:00] details, guys and others. But the victim list keeps on coming and, yeah.
[00:17:06] Chetan Conikee: It’s to, to your point Stu, it’s plain old SQL injection proliferation across a very large customer base. And I did some reading, so it’s fairly interesting. The issue we are dealing with is it’s a legacy code base and if they’re using SQL to access their data store, there are many pathways in the code leveraging, SQL abstractions to communicate with the database.
[00:17:30] So apparently they are putting out patches and they’re fixing as they go, which means they are not doing a complete check on the code base and patching the entire code base, but rather going on small increments, which means that as they discover something, they attach it and there is a asymmetry because attackers are just enumerating all the end points figuring out, points of entry.
[00:17:57] Then progress software [00:18:00] is playing catch up and then putting out the patch. So the impact zone is substantially large, I sense we’ll continue to hear this over and over again. The issue is, are you staying on top of your patches? If you don’t, you’re exposed. Is progress staying on top of figuring out their entire ecosystem to patch and substantially release it and put out something that’s more viable?
[00:18:25] So it’s just a catch up game at this point. I think this will continue.
[00:18:29] Chris Hatter: Two things yeah I’ll just key in on what you said. Are you staying up with your patching game? If you think about the vast majority of what people are facing from a patching perspective, most organizations. I’d say a large percentage of them, sans the ones that are more sophisticated, have enough problems just trying to patch OS level stuff.
[00:18:49] Obviously you, that patching needs to extend into middleware, web servers, app servers. You need to patch basically everything. The amount or the percentage of [00:19:00] organizations that can even think about patching file transfer tools across their enterprise when they can’t even get Microsoft updated, who frequently releases patches, and we have infrastructure for. I think it’s a pretty big ask, and I think that’s why you see a lot of, compensating controls being implemented. The second thing that I wanna comment on is the way that they’re fixing it. To your point they’re iterating fast.
[00:19:22] They’re obviously under a tremendous amount of pressure to, to fix their software. It almost reminds me, I know it’s different, but it reminds me a little bit of what we saw with Log4J where log4J there was a fix, there was a workaround, there was a new fix, there was a new patch, and that happened over a period of weeks.
[00:19:37] And unfolded in not the cleanest way. And so I think you’ll see that here with MOVEit. And yeah, the victim list just keeps going up. I wouldn’t wanna give any credit to the threat actors, but they are doing a good job of keeping themselves in the news by trickling out these these new victim lists as time goes by.
[00:19:52] Stu McClure: Yeah. 340 now is what the latest count I’m seeing. And obviously using this Cl0p ransomware to [00:20:00] probably really accelerate the hacks themselves, getting that malware.
[00:20:05] Chris Hatter: Look this group is operating a little bit differently. They’re not encrypting their victims, right?
[00:20:12] So they are basically–not only that, they’re not even reaching out to them. They’re going and just publishing who they’ve compromised, putting it on their website. Ultimately I think it’s interesting that choice not to actually encrypt and the choice to just publicly disclose that they’ve been compromised. We have a lot of big names here. I think Stu mentioned it. It was the ey, I think some of the new ones are Discover, Shutterfly, Choice Hotels. Bad day for all these organizations. Obviously there’s a huge number of universities that I saw from the list as well. I think what’s common amongst most of them is large scale IT environments.
[00:20:48] That’s where you have that situation that I described of not necessarily being able to patch everything in your environment. How do you keep up.
[00:20:54] Chetan Conikee: I had one quick point, right? How would this fundamentally [00:21:00] change going forwards? Especially from an attacker perspective, because attackers have to figure out their target to enumerate.
[00:21:08] And the best approach to this is you land up on the progress website and you look at their client base and you choose those victims, right? Same thing played out with SolarWinds because they publish their clients. So should companies stop actually publishing their customers and their clients on their website? To prevent this complaint?
[00:21:28] Stu McClure: In the early days, we would never ever put company names, customer names on a website because, and they wouldn’t let us, to be quite honest, because it was too compromising potentially. They know now the software stack, the tech stack, they know how to, it’s like step two in the book Hacking Exposed, it’s footprinting the organization and enumerating and figuring out, okay, what’s there to attack. And I’ve been actually surprised over the years why so many customers are willing to allow that, to be honest. It’s good in a way because it validates, obviously the tech that [00:22:00] you’re selling is now being used and helpful.
[00:22:02] But at the same time, man, if you’ve got a zero day or, which, by the way, I, this has been around since May of 2021, I believe this is zero day, or maybe certainly within 2021. So this is not a, like a real shocker, surprise. It’s just now getting exploited. Or you take the Bruce Schneider angle, which is look, security through obscurity doesn’t work anyway.
[00:22:23] Who cares? So you obscure the fact that you have MOVEit and you’re running it. Look, they’re gonna figure it out eventually anyway, and they’re gonna hack it. So what’s the big deal?
[00:22:31] Chris Hatter: Think those counterpoint with that,
[00:22:32] Stu McClure: Stu? I was, yeah. Sorry I beat you to it yet.
[00:22:36] Chris Hatter: I was gonna counterpoint that.
[00:22:37] At the end of the day, these threat actors, especially ones as capable as the one we’re talking about here, If they’re interested in perpetrating an attack, they’re gonna gather, they’re gonna do their reconnaissance in a number of ways. They’re gonna get some of that high level information that they want to figure out how to map out their victims and run a big campaign like they’re doing.
[00:22:58] They’re gonna get the information that [00:23:00] they need anyways. And it’s interesting Chetan, and I think those of us who are selling software, we obviously want customers to, put, be willing to work with us and put. Put their logo out there. I think the security by obscurity thing just simply is not gonna work, and if you’re banking on that, you got bigger problems.
[00:23:17] Ben Denkers: Yeah. I think it’s always gonna be an investment, right? From an attacker’s perspective. And your job as an organization is to make life as difficult as possible in order them for them to move on. If they have the time and the will and they find value in, in trying to compromise the organization, they’re gonna do everything in their power to do. Which, if we go back to Chris your comment about why they haven’t been, why they haven’t chose to ransom the organizations, makes me think or wonder whether or not, they have other persistent access already and MOVEit was just the first bit.
[00:23:47] And so they’re not necessarily concerned about doing it right away, but maybe, they leverage the compromise and have access to those organizations or the. Ingrained with throughout, so to speak.
Chris Hatter: The question is always, let’s just say, they obviously took [00:24:00] still data from their victims.
[00:24:01] The question that the victims then wrangle with is, do you decide to pay the actor to delete our data? I don’t know what you guys think about that or how you’d position it, but it’s a very tough question, right? Because the data itself could be varying levels of sensitivity could be super meaningful to you.
[00:24:20] I always kind of erred on the side of: “Once the data leaves the walls, you should start to consider it public and operate accordingly.” Though, you know a lot of people with a lot more experience than I with ransomware actors, actually, depending on what the group is have had a track record of doing what they say.
[00:24:38] Others do not, but some do. So how would you guys land on that spectrum? Would you be willing to go pay for the deletion or where would you go?
[00:24:46] Stu McClure: Don’t ask me, man. I’m telling you, I’m pretty clear. I would never pay. And I, this is a, this comes from a lot of years experience. In the very early days of ransomware, we actually hacked the ransomware actors themselves.
[00:24:58] Okay? So we would go back and [00:25:00] hack in to not just them, but into the techniques themselves. So for example, one of the first ransomware we dealt with, in my prior company, Cylance, we actually found a flaw in their cryptographic algorithm. So we simply hacked the flaw and we were able to assign any password into the encrypted bundle or whatever.
[00:25:21] And so we helped a lot of customers do that. There’s always a way around this. Somehow, there’s always a way to, to deal with it without paying. I’m just not a big believer in paying, but I understand people, businesses have to, run and they have they, they don’t often have access to the talent that I did at Cylance, so I understand and sympathize at the same time with people that do it.
[00:25:44] Chris Hatter: In, in the Cl0p case, Stu, it’s like they didn’t encrypt anything. But they’d prefer if you paid them to delete the data. The question is, are you gonna, are you gonna do that? Are you gonna trust them to actually delete it?
[00:25:57] Ben Denkers: From my perspective, I think that’s a hard sell, right? [00:26:00]
[00:26:00] At best case you have 50-50 odds, but, depending upon the cost, maybe it’s worth it to your business for those, for that kind of risk. But generally speaking, if it’s already out there, It’s done, right? And maybe, and we’ve seen this with other actors as well, where they sell the data later on.
[00:26:17] It could be six months, it could be, a year, two years later, and it ends up on some dump somewhere on the dark web. So for me it’s a hard pass.
[00:26:24] Stu McClure: It reminds me of the early days of a lot of my friends saying, oh, Stu, can you go delete all the pictures that somebody stole up on the cloud that like, don’t, I don’t want anybody to see those pictures.
[00:26:35] And I’m like, guys I don’t know. What to tell you? What’s, it’s up in the cloud, it’s gone, and you’re never getting this thing back. Okay? So just live with it. Go see your therapists as many times as you need. Just manage through it. But that is your reality for the rest of your life. And it’s just how it is.
[00:26:51] I don’t know I don’t know. I think it’s a weak technique by the bad guys. I don’t think they’re gonna get a lot of pull-through on that, but yeah, we’ll see. [00:27:00] We’ll see. All right I know we are up on time, so I just wanna thank my crew here as always, for your insight and appreciate the emotion that comes with all this, and obviously we will continue to track on all these latest and greatest exploit, vulnerabilities, breaches, attacks, et cetera, and hopefully make it make sense to the world. And I appreciate everybody’s time. Thanks again and have a great one, guys.
[00:27:26] Chetan Conikee: Thank you. Thanks.
[00:27:27] Chris Hatter: See ya.
[00:27:27] Ben Denkers: Appreciate it.