Only Malware in the Building 11.5.24
Ep 6 | 11.5.24

Whispers in the wires: A closer look at the new age of intrusion.

Transcript

Dave Bittner: It was a cold, cold night when we got together, a cold, cold, rainy night. I've seen it all in this line of work, the grifters, the hustlers, the two big fishers pulling cons over coffee shop wifi. But this, this was different. This was in some small-time scam. This was malware, slick, silent, and deadly. My office smelled of stale coffee and burnt-out firewalls, the only lights spilling in from the monitor in the corner. Rick and Selena appeared, faces lit by their own monitors, each looking as worn out as I felt. Rick was holding a flash drive, giving me that looked like he'd just seen a ghost. Selena, meanwhile, was scrolling through lines of code or expression, hard. Determined. I leaned in. This wasn't your average malware case. This was something else. It lurked in the corners, stayed quiet and patient. The kind of code that doesn't just steal data. It aims to unravel things from the inside. They didn't need to say much. The message was clear enough. In our world, the threats keep getting smarter. All you can do is try to stay one step ahead, even when it feels like the game is rigged. And just like that, I knew I was in deep. This case wasn't just any old breach. This was war. And it was about to get messy. [ Music ] [ Coughing ]

Selena Larson: Dave, are you coughing because you had too many dips before recording this?

Dave Bittner: [laughs] I can neither confirm nor deny.

Rick Howard: I can confirm it [laughs].

Selena Larson: [laughs] Well, now that the cooler weather is coming, is it switching from dip season to soup season or warm dips -- warm dip season?

Dave Bittner: I mean, there's a fine line between a hot soup and a warm dip. I think it's a matter of viscosity. But a -- anything that you can put -- you can take a -- either a chip or a bit of bread and put it in, I'm totally fine considering that to be a dip. So, yes.

Rick Howard: So soups, these are a subset of dips, is what you just described to us? I love them.

Dave Bittner: Soups are just dips with very low viscosity. That's all. It's all -- yeah, that's fine. Sure.

Selena Larson: Well, on that note -- [ Music ] -- one really interesting piece of research that we worked on recently was this cluster of activity that was specifically targeting transportation and logistics companies in North America. It ended up delivering a variety of different malware payloads. But what I thought was the most interesting was it's a really fantastic example of threat actors being pretty creative in terms of their delivery methods. So, in this case, they were compromising legitimate senders, compromising real accounts. And then, actually --

Dave Bittner: Is there ever an instance where they compromise illegitimate accounts? [laughs] Just -- you know, just wondering. Ah, Rick, always asking the hard hitting questions. [ Music ]

Selena Larson: You know, I wonder, yeah, a hacker hacking a hacker to send -- to reply to some thread hijacked emails. Yes. It's like hacker-ception.

Dave Bittner: Wouldn't that be though -- like, we hear these stories about, like, malware operators, you know, and APT groups who go in. They get in there. And the first thing they do is clean out all the other malware so that it is only theirs. It's there. So --

Rick Howard: That's right. Making room from theirs. Everybody out. Everybody, out in the pool.

Dave Bittner: Right. Right. Well, there was -- I remember someone talking about -- it was like an industrial control system situation where the operator, like, knew who was in his system, but they did such a good job of cleaning everything else out that they were like, "You know what? I'm going to let them be here for a little while."

Rick Howard: Let this -- instead of [laughs] paying a third party to, you know, monitor all that, you know. Let's just let this guy do it. Yeah.

Dave Bittner: Yeah.

Rick Howard: Okay.

Selena Larson: I mean, eyes on cleaning house, you know, I could see it. I could see it happening. But yeah. But in this case, so they did compromise the legitimate senders. And then they replied to existing conversations within that inbox to make the messages that actually look legitimate. So it's kind of interesting because there were two parts to this. This was the first part where they are -- you know, instead of impersonating transportation or logistics companies, they really compromised those accounts. And they tried to make it seem quite legitimate. Now, the second part, what made this kind of interesting was later, on in their campaigns, they started using this, what we're calling a ClickFix technique. So essentially, what happens is the target will receive this popup or notification of some sort, depending on what the actual attack chain is. And it'll be like, "Oh, you've encountered an issue. Click here to fix this." And what that actually does is copy and paste Base64 encoded PowerShell. So the actor is pretending like, "Hey, here's this security issue. But here's how you can fix it." But fixing it actually ends up leading to the compromise.

Rick Howard: So, Dave, here we go. You know, we've been doing this for a very long time. And it all comes down to clicking the link. [ Music ]

Dave Bittner: Clicking the link. It's a simple mistake like falling for a pretty face in a smoky bar. I've been there. Heck, we all have. One click, and you're in over your head, just like I was when I trusted a source that turned out to be as crooked as a geriatric kangaroo. [ Music ]

Rick Howard: Okay. That is the entire attack chain.

Dave Bittner: Yeah. Selena, you know, Rick doesn't mind clicking suspicious links. He figures, what's the worst they can do? Fax me a virus?

Rick Howard: [laughs] Those deadly fax viruses.

Dave Bittner: No, Rick thinks that multifactor authentication is clicking the link twice. [ Laughter ]

Rick Howard: Well, I am going to write that down. That is not what it means. Shoot.

Dave Bittner: Yeah. Rick falls for a scam so quickly even the Nigerian princes say, "Wow, that was easy."

Rick Howard: [laughs]. I want a first name baseness with all those Nigerian princes.

Dave Bittner: Yeah. Yeah. Rick has a -- I guess we just best to call it an open relationship with all of his passwords. So tell us about this, Selena. What exactly goes into this ClickFix method? Because I've heard about this making the rounds. And there's some unique, particularly clever elements of this, right?

Selena Larson: Yeah. So, we initially have seen it from multiple different threat actors. They might be doing fake updates' delivery, where it'll pop up and say, "Oh, you've encountered a problem with Chrome. Click here to fix it." We've also seen it delivered via email, where there will be an HTML document that says, "You've encountered a problem with Word. Click here to fix it." But what was really interesting about this particular attack chain was the HTML actually popped up with software that would be used in the course of normal operations for transportation and logistics companies. So they impersonated this software called Samsara, AMB Logistic, Astra, TMS. Basically, this would only be used in transport and fleet operations management. So, in addition to having that identity compromise, they also appeared to know some of the information that would be used in the course of normal operations, how it might be used by the people that they were targeting. So they were really very clever in a full scale impersonation that if you're an unsuspecting recipient, this is a very compelling social engineering technique. [ Music ]

Rick Howard: So that indicates that they were in their victim's network for a long time, learning about all these software packages that most of us has never heard of. Right? So the question I have, Selena, is, what was the entry? How'd they get in? You were mentioning they got in through email. Was that the victim zero as compromising email accounts? Or there is there something more scary going on here?

Selena Larson: So, from what we understand, we saw the visibility as the initial access via email. But to your point, whether it was they had compromised some of these organizations and done the research first, or whether they were just familiar with those business practices and done a lot of open source intelligence gathering, you know, looking up what software might be used, investigating various organizations or, you know, what are common practices for this specific type of company, they did do quite a bit of investigation. And this goes back to this idea of criminals needing to do a lot more research development, trying to be a lot more creative with their delivery methods. Because we, as cyber defenders and our industry as a whole and enterprises at large, you know, we have gotten better at security. And so the response to that from threat actors is, "I have to be more compelling with my lures with my social engineering." One of the things that I think is really fun about the ClickFix technique is it'll say, "Hey, here's a problem. But you can solve it yourself." Right? So how many times are we so frustrated going to IT running into an issue, and being like,"Ooh my gosh. I can't access this document." Or, "I can't download this software," you know, what have you. Open an IT ticket. Work with IT to try and fix something. But with ClickFix, it says, "Oh, you can do this yourself. Just click this button." And most people would have no idea that it was copying and pasting and then running PowerShell on their host, right? Like -- so it's very clever being like, "You can fix it yourself." [ Music ]

Rick Howard: The one that would work on Rick would just say, "You've got mail." [ Laughter ] Well, I think it's pretty tricky about all this is they're running an action here that is typically associated with criminals. You know, click this link basically to -- you get something done. But the intelligence that they had to have to make something like that work is -- would lead me to believe the attribution is towards some government. So what is -- what are your team -- what is your team saying about that, Selena?

Selena Larson: So we don't actually attribute this to attract a threat actor. However, given the actual malware payloads, which is really interesting, they were just kind of Commodity Steelers, NetSupport RAT, DanaBot, things that we see typically with cyber crime threat actors and not really very sophisticated malware. So that was really interesting too. And I think also part of this overall story where we're looking at and learning that the landscape, including cybercriminals, are getting a lot better and a lot more clever at the initial delivery. But they're not spending quite as much time or development in the malware. They might just be using something Commodity or, you know, an RMM tool, something like that, to actually install that payload. So it does seem pretty interesting and quite clever. And they are doing a lot of research. But the ultimate payload is something that we see oftentimes with high volume Commodity cybercriminal threat actors.

Rick Howard: Well, Selena, regardless of which side it comes from, either nation-state or cyber criminal, malware is nothing but trouble.

Dave Bittner: Selena, I'm curious. Why do you suppose that they chose transportation and logistics companies? Is there anything special about them? Or were they just convenient? [ Music ] I knew I needed to start asking the hard-hitting questions. Otherwise, this case was going to take forever. And we were running out of time. [ Music ]

Selena Larson: That is a great question. We don't really know the motivation. But I do think it speaks to something interesting about targeting supply chain. So oftentimes, you know, you're doing quite a bit of business and conversation and interactions and payments and a lot of traffic basically between suppliers and the organizations that work with them. And so it could be a very interesting wealth of information. It could have a lot of people that they're going to be doing business with, which could potentially lead to a lot more compromises or additional victims. Or it just could be a case of the threat actor having some sort of knowledge or understanding or interest in this particular vertical itself. So again, you know, the use of these very specific tailored ClickFix using that software combined with the very specific targeting indicates that, yes, they had done their research. But also, maybe they were just potentially interested in this specific vertical. So, we are continuing to monitor it. But I did find it really interesting and it does kind of have all of those hallmarks of stuff that we like to talk about. It's security, right? So identity compromise, supplier risk, you know, ClickFix and social engineering and being very convincing. So it was really all of these hallmarks of stuff that we, as security practitioners, talk about all the time. And this was just bundled in a nice little package of, "Oh, this is a really terrific example of how threat actors can be very clever and crafty and get you to do what they want."

Rick Howard: That's something that -- well, all the things you just outlined there, there's -- malware always has a price to pay even if we don't know exactly what it is.

Dave Bittner: A price to pay, to say the least, it's always at the forefront of my mind. [ Singing ]

Selena Larson: Stay tuned. There's more to come after the break. [ Music ]

Dave Bittner: One of the things that the brief mentions that caught my eye was that the threat actors are purchasing infrastructure from third parties. I'm curious. What are your insights there? I mean, what -- why would they be doing that?

Selena Larson: So this is actually an attack chain that we've seen -- or similar attack chains that we've seen from other entities across the landscape. So, because it wasn't necessarily specific to this one cluster, we do believe that they are likely purchasing it from a third party. And because of the similarities that we've seen from other potential chains that wasn't quite as sophisticated, wasn't super specifically targeted. But another thing to kind of think about is as the threat landscape is shifting to try and be a lot more creative, the sellers are also seeing how they can really differentiate themselves in the marketplace. So can I create something that is really compelling, that can be an attack chain? Or can I be an operator and sell this to a lot of different users? So I'm making the money off of just the delivery mechanism as opposed to creating really sophisticated, interesting malware that's going to be sold for a super high price. So it's honestly kind of interesting to think about it from a potential market shift perspective as well where, you know, the investing in the tools and resources for the cyber criminals to be able to go to that marketplace and buy these new tools or leverage them or subscribe, right, infrastructure as a service potentially as opposed to historically what we, you know, see oftentimes is really cool malware, very like customized, sophisticated implants or rootkits or things like that, where that tends to be a lot of the focus. So, both from a financial resources perspective, but also time and investment perspective. I think it is pretty interesting. And to be clear, you know, Proofpoint ourselves as researchers doesn't have a ton of visibility into these marketplaces. But based off of open source research and other reporting done by many of our colleagues, it's really interesting to kind of see what that marketplace is like now. Also, in addition that the shift away from remote access tools to more information stealers or like the use of legitimate services like remote management and monitoring tools, there's been a kind of a big change in the landscape in that sort of have a trickle-down economic impact, if you will, on the dark marketplaces and, you know, various exploit forums. [ Music ]

Rick Howard: Selena Reagan. Selena Reagan. That's where we are. Okay. [ Laughter ] But Selena, you mentioned supply chain attacks. And one of the reasons they like to do that is because that traffic most of the time looks normal, right? Until it's not normal. And then, you know, chaos happens. And then, you know, bam, bam, bam, it's horrible. So that's kind of the reason they do it that way, right? [ Music ]

Dave Bittner: Normal, that's a funny word. In this line of work, normal means something is hiding in plain sight, like a snake in the grass, just waiting for you to take that first wrong step. And trust me, you never see it coming.

Selena Larson: You have inherent trust in the supply chain. So, right, like these are people, individuals and companies that you're regularly talking to, you're regularly sending money to and from, you're regularly having this previously established trust and communications set up. And so that can be something that's very easily exploitable from various threat actors. I mean, we see it within email compromise all the time, right? So, impersonating suppliers saying, "Oh, our bank account information needs to be changed or updated." Having these, you know, very creative and crafty customized lures with a domain that's, you know, potentially one letter off of the legitimate company. But they're pretending to be or impersonating these suppliers and across the supply chain. So whether it's, you know, an outright compromise of a supplier that is doubly preying on that trust, or if you're just impersonating a supplier that the person regularly engaged with, regardless, you have that sort of like first step into building that trust with the recipient. And that's why they can be so compelling and very effective when it comes to social engineering and impersonation to try and get someone to either click on something, download something, you know, do something very bad. [ Music ]

Rick Howard: So are you saying something that we don't know what the ultimate objective was for these transportation kinds of companies? Do we not know what they got?

Selena Larson: So we -- like, you know, from our perspective, we just see the initial access and the delivery of the information stealers or the DanaBot, or you know, NetSupport RAT. But based off of what we know about these types of malware and it likely is financially motivated, so, some type of stealing, either data or money, to ultimately make money in the end.

Rick Howard: Is there any thought that that might be a camouflaged operation so that some nation-state could get in and get access to transportation systems? Is there any --

Dave Bittner: Ooh, misdirection. Misdirection.

Rick Howard: -- misdirection? That's what I would do. Okay. If I was doing this, right?

Dave Bittner: Yeah. Yeah. This is coming from Rick, by the way, who once got scammed into buying antivirus software for his microwave oven, ladies and gentlemen.

Rick Howard: And since I bought that, I have never had a piece of malware found on my microwave.

Dave Bittner: There you go. See?

Selena Larson: Or when you microwave anything. It just tends to be a little less cooked than it should be. No, nothing that we've seen that necessarily indicates that just based off of sort of the volume, the regularity, the different types of organizations that are compromised in the malware that's being delivered. I do think it is pretty interesting, though. And you know, we are continuing to monitor this. So our assessment may change, right? I mean, that's the beauty of threat intelligence.

Rick Howard: Typical Intel.

Dave Bittner: ,[laughs] Right. Right. There's a big old asterisk just sitting there, right? Just throb -- it's a throbbing asterisk. This may all change. Please don't hold us to anything.

Rick Howard: We have moderate confidence in this.

Dave Bittner: This is our current understanding is. But please read the fine print [laughter]. Oh, spoiler alert. It's all fine print. [ Laughter ] Oh my.

Selena Larson: It wouldn't be a cyber threat intelligence without "It depends."

Dave Bittner: I couldn't have said it more perfect even if I tried. [ Music ] I -- it's interesting to me how much they front loaded things here. Like, as you say, they -- it seems to me like they put most of their energy into the front end of getting in, of establishing trust, of simulating these known platforms. And then, once they were in there, they were just using off-the-shelf tools to do what they needed to do then. But it was really the time, effort expense was into that initial access. Is that accurate?

Selena Larson: Yeah, absolutely. And you know, we kind of joke and laugh about, you know, espionage versus cyber crime and could this be. But I do think it is kind of an interesting conversation to be had where there is right now an evolution and an increase in sophistication from cyber-criminal threat actors where they will, you know, spend a lot of money and time and resources into developing that initial access where historically, we could -- oh, sorry. There's a --

Rick Howard: It fits right in with our film Noir.

Dave Bittner: The Ghost.

Selena Larson: My house is haunted. I apologize. That was my friendly ghost screaming as it walked by my office.

Dave Bittner: Don't look at me. I have no idea what that was

Selena Larson: But yeah. So it does kind of fit as part of this overall trend in the landscape where we're seeing this investment in time, energy, resources into the initial access. They're being a lot more creative, a lot more sophisticated in developing some of the -- you know, like Dave, you explained front-loading the attack chain.

Rick Howard: But are they doing -- are they trying to develop exploit code? Or they're going in through social engineering? Because exploit code is expensive.

Selena Larson: Yeah, so, you know, that's a great point. From -- at least from the email as an initial access perspective, it is very much an investment in social engineering and new attack chains. So, it's not necessarily developing the exploits themselves. We have seen occasionally the use of some zero days or N-days as soon as something drops. You know, they're very, very quickly adopted into these overall attack chains. But it does kind of bring up this interesting conversation where, historically, we have had this bias in cybersecurity where espionage, APT actors are the ones that are the most sophisticated. They're the ones that are going to be the most clever and crafty. And they are, you know, the people that are investing a lot into those resources. Whereas, you know, cybercrime used to just, you know, deliver a malicious attachment. Or, "Here's a malicious link." But now, you know, there's a lot of overlap in TTPs from espionage and cyber criminal threat actors. There's a lot more sort of creativity and investigations and time going into attempts to exploit people. You know, I love thinking about how people are getting creative with social engineering. I mean, the ClickFix thing, I think, was really a very, very clever social engineering feat, right? Getting someone to think that they know best and to do something and actually infecting themselves, I mean, how clever, right? And so that's why we see it being used so much now. It started off a little bit slow. But, "Oh wow, wait, this is actually really effective." People like fixing stuff themselves. And they don't have to talk to it where, you know, focus on a little bit, kind of like the human psychology aspect of it as well, where threat actors have to think about how is a person going to respond to this, right? Like, we're increasingly trained as human beings and people to not just click on something. So we're not just going to click on something that's obviously malicious anymore. We're not just going to download something because someone tells us to.

Rick Howard: You clearly haven't talked to anybody in my family, right? So --

Selena Larson: As a whole in general. Everyone besides Rick.

Rick Howard: Oh no, I click on them all the time too. So, I'm a poor example

Selena Larson: But yeah, the sort of like human psychology, right? Like we're -- if we think about like the Hercule Poirot of cyber investigations, the little gray cells and the human psychology, you know, how can we use that?

Dave Bittner: Hercule Poirot. We had one word for someone like that. And that word was chump.

Selena Larson: To both better educate people, but also from a threat actor perspective, you know, how can I use my little gray cells to get someone to kick on something or engage with something that they otherwise wouldn't? It's interesting to see that sort of whole evolution. But then of course, we are the good guys and have to figure out and be creative with our defense and to prevent it as well. [ Music ] We will be right back. [ Music ]

Dave Bittner: Well, let's talk about mitigations. Let's bring it home then. And what are the recommendations here for folks to best protect themselves?

Selena Larson: Yeah, so, you know, I think if we're talking about it being a very human sort of targeted threat, it definitely has to be a human-educated. Human awareness, I think plays a really big role here. So I think, you know, especially when we're talking about stuff that is -- looks legitimate and people essentially infecting themselves, it's so, so important for organizations to really educate users on this new technique. Also, I think it's really helpful to remind folks that even if they are engaging with someone or they're receiving something from somebody, even if they'd previously talked to them, if it seems out of place or if it's a file or an attachment type that you don't typically receive -- so for example, this was an internet shortcut, URL file in many cases, or an HTML with an embedded internet or.URL file. Like, it kind of makes you go, "Huh," and really realize like the threat actors are being a lot more crafty. So we have to be a lot more mindful in terms of how we are thinking about educating our users about common techniques used by a lot of these threat actors. And you know, I think it can be a little bit difficult to defend against some of this stuff because so much of it can be like legitimate. Or you're essentially infecting yourself by copying and pasting to run PowerShell. And so a lot of it is just kind of like user awareness and reporting. [ Music ]

Rick Howard: Let's be specific here, right? As a general rule, don't install anything unless you know the other person online that sent it to you.

Selena Larson: Oh, absolutely.

Rick Howard: Right? And so that would solve 80% of this, right? The other one I always give to my family and friends is never do your day-to-day operation, running as an administrator to your laptop or your phone, right? That would also clear up about 90% of this stuff, right? So, those two things would keep you out of a lot of hot water. Dave, you like the hot water. So maybe not do that.

Dave Bittner: Yes, I do. I actually spend way too much time in my hot tub. I am a wrinkled mess.

Selena Larson: What is a hot tub if not just a nonviscous dip?

Dave Bittner: It's human soup. It's human soup.

Rick Howard: Wow. Nice callback.

Dave Bittner: That's what it is.

Rick Howard: That is very good.

Dave Bittner: That's right. That's right. But Rick, I mean, to what you said -- just said there, don't install anything where you don't know the sender. That was part of what this was about, right? They were convincing the people that this was a known entity, that this is, "Oh, nothing to see here. This is software that you're familiar with. And even more so, this is niche software that only those of us who are in this special club even know about." So, those --

Rick Howard: Yeah. It's easier to do -- say than do. Okay. I totally hear what you're saying that, you know, this is a professional social engineering attack. But the first thing you anybody should do when presented with an email from, looks like, the IT department, is to pick up the phone and say, "Hey, you guys, are you sure this is what you want me to do? Because I'm an idiot about this stuff."

Selena Larson: Yeah. I mean, even from like that side, though, like, like restricting or flagging when an unusual file type is received, right? So, something like a.URL file, it could be potentially used in legitimate enterprise operations. But you're probably not sending those back and forth all that often. So, you know, things like that too, where you can have some of these access restrictions or file restrictions on individual users to kind of prevent a little bit of that. But yeah, I mean, trust no one.

Rick Howard: Trust no one.

Selena Larson: For Rick's sake.

Dave Bittner: You know, when they get Rick on the line after he's given them his credit card number, he says, "Hey, why don't they give you my social security number too."

Rick Howard: Just in case.

Dave Bittner: "Just in case you need it. Just it might save you a call later. Let me just give that to you.

Rick Howard: I don't want to do this twice. All right? So --

Dave Bittner: No, no.

Selena Larson: Well, that's Rick's way of being -- making sure that he is so secure is that all threat actors have access to any of his potential data. And so none of them even try to go after him.

Rick Howard: That's right.

Selena Larson: Because they know everyone else can too.

Rick Howard: I am an open book.

Dave Bittner: That's true. Rick's passwords are so old. They come with an AARP discount. [ Laughter ] All right. Anything else we want to cover here, Selena, before we wrap up?

Selena Larson: I mean, I think we pretty much hit on all of it. And if I would leave anything, you know, to our listeners, is to just be very mindful and think about how we can better educate and be aware of the increasing craftiness of many of these very sophisticated cyber-criminal threat actors because, you know, they're not going anywhere. And we, as defenders, also have to match their craftiness and creativeness to make sure that we are staying ahead of the curve.

Rick Howard: For you, Dave, that means just close the laptop and walk away, right?

Dave Bittner: That's right. And right now, I'm going to walk away. I -- waiting in the other room is a whipped ricotta with lemon and olive oil dip. So --

Rick Howard: Nice.

Dave Bittner: I'm going to go partake in that. Thank you both. This was great fun, as always. We'll see you next time.

Rick Howard: Thanks, guys. See you later.

Selena Larson: Thank you.

Dave Bittner: And just like that case closed. But in cyberspace, nothing really ever dies. It just waits, hiding in plain sight, ready to strike again, like an old tuna sandwich in the back of the office fridge. You don't see it coming. But when it hits, it hits hard. Well, I guess there's nothing left to do for this old gumshoe but to read the closing credits. [ Music ] And that's only malware in the building, brought to you by N2K CyberWire. In a digital world where malware lurks in the shadows, we bring you the stories and strategies to stay one step ahead of the game. As your trustee digital sleuth, we're unraveling the mysteries of cybersecurity, always keeping the bad guys one step behind. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the ever-evolving world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. This episode was produced by Liz Stokes, mixing and sound design by Tré Hester with original music by Elliot Peltzman. Our executive is Jennifer Ivan. Our executive editor, Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher. I'm Dave Bittner. On behalf of Rick Howard and Selena Larson, thanks for listening. Stay safe out there. [ Music ]