Snowflake Breach Campaign

Marc Laliberte  0:00  
Hey everyone, welcome back to the 443. Security simplified, I'm your host, Marc Laliberte and joining me today is Corey the organized Ladybug knock grinder. Can you decipher that one? It's the opposite of a group we're going to be talking about, or at least, ladybug is opposite of a spider. Or whatever says opposite of scattered. How does a ladybug opposite of a spider? I don't know. Maybe small. I've never seen a spider web. Maybe I'll be organized by then I thought ladybirds for cuter. And watching the movie. The fly has already given me nightmares about Mike and myself. Before we get into that, on today's episode, we're gonna go over Microsoft's Patch Tuesday, including two pretty interesting, serious vulnerabilities they patched that you should hopefully patch as well. After that, we'll give an update or a rundown on what we know from the snowflake data breach from earlier this month. And then we will give an update to what exactly is going on in the life of the threat actors. They compromised MGM and Caesars Entertainment last year. With that, let's go ahead and fly our way.

So let's start this week with the first story we want to go over. This one was actually I guess it's technically news from now two weeks ago, I guess at the time, you're listening to this, but basically Patch Tuesday this month was actually pretty interesting. So the one we're not going to talk about that it's like equally interesting is Microsoft actually fixed the vulnerability in their Wi Fi driver that comes with Windows that could allow anyone within Wi Fi distance, potentially gain code execution on your system. That one likes set off alarm bells when I saw that one was a bit frightening at first glance, I do want to talk about it because I might disagree with one reason you might think it's not frightening.  And this one seems like a they spotted it fixed it and so far, no one has discovered it but interesting that they didn't spot it. 

Corey Nachreiner  2:35  
That's incorrect. A Chinese well known researcher who's spoken at BlackHat DEF CON before spotted it. And I don't trust Microsoft as much these days, their security seems to be getting a little worse with crap like recall. So I agree with you. They clearly say exploitation less likely. But everything else about unauthenticated just have to have access to wireless, which by the way, you can do over multiple miles with the right Yagi antenna, it's actually a competition at BlackHat and one packet and you have remote execution. This could be very bad. And I tried to do a lot of research because if you didn't I now notice you're bringing this up before the one we really want to talk about. But there are also things that may be BS, which is Sorry, I'm trying to find my links.

There's, you know, at least some Russian forums where someone is claiming for $5,000 They'll give a proof of concept for this. That's a cheap for I agree, it seems also it's a Russian threat actor and this Well, no, this is a well known Chinese researcher. So the Chinese researchers, a good researcher have spoken before. But I don't know if I trust a Russian underground selling it for 5000. But they at least you know, have a little more than average detail here. So we can't really trust these reports yet. And I will admit you and I both know there is a type of vulnerability that on paper is really bad, but there's lots of caveats about different memory overflows that can make some impossible to execute not not impossible, but let's say improbable on a regular manner. So I get that this this could be possible that it's not as bad but it still got to 8.8 on the CVSS and from what I understand it would have been a 10 if the fact that it's wireless or it requires proximity is one of the main things dropping it score right and I've I've every organization every even security expert is telling you to patch this immediately. Although none of them can like point to any exploitable code yet. or so. To me it's all depends on the we're looking at one thing that says exploit less likely just because there's no current POC but I wonder if

Huawei is going to have a talk at DEF CON Blackhat. So just like the real Microsoft vulnerability that I think you want to go into more detail for because we know this one is a big deal, I think we're not going to learn all about this until Blackhat. DEF CON, which is really the same as the star of the show, if you want to get into it.

Marc Laliberte  5:18  
Yeah, let's hop into that one then. So that wasn't the only big vulnerability Microsoft patch. They also released updates for all currently supported versions of their Outlook mail client, to fix a code execution vulnerability that can be triggered just by opening a message. So this one was discovered by researchers at Morfa sec. And they originally disclosed it to Microsoft on April 3, Microsoft obviously fixed it on their June Patch Tuesday. And while like details were a bit light, and amorphous exome blog, they didn't know like you just said, Corey, they're going to present on this at hacker summer camp this year. So at DEF CON, in generally, at DEF CON, researchers will give the entire dirty laundry behind the vulnerability,

Corey Nachreiner  6:05  
especially if it's already patched. Yep. And this one was patched quickly by Microsoft. So I think they I mean, the Wi Fi one seems scary, because it just needs to be proximity. But this is like like anything in outlook that just takes you opening an email and not interacting with it at all at all. That's obviously a huge issue. Every user even for suspicious emails will at least click on it. The one thing I'm curious is clicking on the email, which will open the preview but doesn't necessarily open the email in a new window. I'm curious if that preview is enough. Because it's assumption.

Marc Laliberte  6:40  
Yes, because they have like an auto open feature that can trigger it as well, too. Yeah, and I've been actually I want to nitpick on it real quick, because they mentioned it's a zero click issue, I would say this is more of a half a click issue where so when I think zero click, I think, you know, Android stage fright, where all you had to do was send a message, they did not even have to like unlock look at it,

Corey Nachreiner  7:05  
or just sit in your messenger app, but it wouldn't trigger right away. Exactly.

Marc Laliberte  7:09  
Whereas this in theory, you do at least have to interact in a limited way of just previewing it, which is still insane. Like that's a pretty easy barrier to get past. But I

Corey Nachreiner  7:21  
would say specifically, even as someone that catches in blocks, fish, I usually preview the email to see what I'm looking at before I can call it a fish. So I'm with you. It's not like like, also, zero click is a listening server that you could pop it whether a user is there at all. And like you said, with stage fright the phone, you don't even know you can have the phone locked, it could be in the safe, where you haven't used it for a day, as long as it had connectivity, you know, stay tight could pop it. So this is not technically 00 Click, but I feel like it's as close as you can get on an application where, you know, even if you're not going to interact with the email, shoot in the way I have Outlook set up, I even have to preview it just to click Delete, you know what I mean? You have to highlight the title or the subject of the email, which will automatically preview it and my window just to delete it. So it seems like you couldn't avoid opening an almost if it works with the preview.

Marc Laliberte  8:16  
I agree. So even if it isn't like traditionally zero click this is a pretty serious issue. And if you are if you're an organization that uses outlook, so if you're one of like the 90% of the United States, in most European countries, make sure you've installed the latest updates that came in June 11. Can

Corey Nachreiner  8:34  
I give you another argument why I think you've we've downplayed the Wi Fi one. Sure, please look at this. It's the exact same CVS score. But look at this, it has the exact same thing the Wi Fi has. Okay, that's fair. So I frankly from simply looking at Microsoft's alert, which gives no detail. This is as little problem as likely to be exploited as the Wi Fi one. And I if an organization like Morphe SEC says they're going to actually release the details. I bet you that. I'm curious what they think of the exploitation less likely part like does that exploitation like how are we even interpreting that? Is that exploitation less likely, just because there's no known public actors? And there's no known proof of concept other than the one more if the SEC says they have? Or is that less likely because the exploit is not reliable? And so don't base it off of

Marc Laliberte  9:32  
basically, actually, they've got a entire help document that kind of walks through it. And so exploitation less likely would be what exploit code could be created that the attacker would have difficulty creating the code is the meat and bones of it. per se, I

Corey Nachreiner  9:48  
think we're likely next thing they say they will also be dropping a proof of concept. So all right, I'm

Marc Laliberte  9:59  
back. Well, I wouldn't say I'm back to being scared. But I'm Mac OS. So I don't really care.

Corey Nachreiner  10:05  
Yet we're the we're the ones that run security for the 90% Windows devices in our enterprise that all have the Wi Fi Windows drivers.

Marc Laliberte  10:12  
Thankfully, we've got a robust patch management system. Either

Corey Nachreiner  10:17  
way, the point is, even though this might be about one of the vulnerabilities, the answer for both of them is just Microsoft patch day, go get them.

Marc Laliberte  10:25  
Exactly, which is hopefully something most organizations just automate at this point of soon after patch Tuesday, getting everything tested and installed. That is probably one of the single best things you can do with low effort to really reduce your attack surface. But I mean, either way, I did not see I did a bit of a search and could not find the the discoverer of the Wi Fi vulnerability anywhere on the DEF CON, or Blackhat docket. But sometimes they do have late additions for like breaking vulnerabilities like this. So did you

Corey Nachreiner  10:59  
look up the company name I haven't googled that but I do know a way have spoken to Blackhat before and what was the last flaw was just research like it was it was was like a resort, it was a very basic issue, you found that was a huge flaw. But what we'll see what happens, I would say you should take them both seriously. And make sure to patch both of them, even as the Wi Fi ones hard to exploit even if it's hard to get exploit code for it. I mean, come on unauthenticated just have to be enraged if you're it's not worth taking a chance on. And

Marc Laliberte  11:34  
actually so one last point on that one, that maybe it does take me back to the scales of a little worried. So like historically at a at like DEF CON specifically, the guidance has been you know, turn your Wi Fi off. So you don't accidentally join some untrusted network or whatever. This is one where if you don't like turn off your wireless adapter, as soon as this POC becomes available, like every single person with one of the little wardriving rigs would it be more walking in the hallways, I guess is going to pop everyone that they walked by going through that conference. Anyways, so nothing about Microsoft. Moving on to the next topic, though. So at the start of June, several snowflake customers, including Ticketmaster and the banking organization, Santander confirmed that they had been the victims of a data breach after data stolen from them showed up in the reincarnation of breach forums. So breach forums. It's an underground hacking forum that has existed in some capacity for feels like forever. It was seized and taken down by the FBI, I think two years ago now. But one of their most prolific users on the old breach forums, a group going by the name of shiny hunters, is actually now the new admins of this new breach forum that has popped up. And they are the ones that started posting this data allegedly stolen from Ticketmaster and Santander for sale on this new breach forums. So snowflakes if you're not familiar with snowflake, they're like a data lake provider. They basically do data as a service, you can sign up and store whatever the heck you want in there. And then I don't know access the data at some other time in the future. That is not a very good description. But anyways, data lake as a service, so their CEO came out with just like a huge database

Corey Nachreiner  13:33  
as a service. So think any organization that wants to offsite managing tons and tons of data might use them or any, any company,

Marc Laliberte  13:42  
their seaso published a blog post, though, saying that they had recently observed and investigated an increase in cyber threat activity targeting some of their customers. But there was no breach of snowflake themselves. And they believe all of them were compromised credentials ultimately, I remember early on when this story first started boiling through at the start of this month. One of the hackers posted data allegedly stolen from snowflake themselves. And so it looked like it might have been a snowflake breach thing cascaded into these other ones. And the victims of the individual data, the breaches were known, so like it was known snowflake customers, and it was their information from snowflake. So if you see a number of customers have their data from your service stolen, or if the outside world does, one of the first assumptions was maybe that organism this snowflake was breached, but will usually an accurate assumption to you will share in a second why it wasn't exactly that. Yeah, but so there Sisa did address that data from snowflake as well said that it was a demo account from a former staff member and it didn't have any sensitive data at all. So like a few weeks now after this incident, we're actually starting to get a lot more details coming from it from the likes of Mandiant, who was helping investigate a few of the customer breaches and also has now been working alongside snowflake themselves to investigate this wider campaign, and a few other posts as well, including the news company wired doing some investigatory journalism as well. But let's start with the the Mandiant blog post first, where they published a post originally on the 10th detailing basically this campaign targeting snowflake customers, where they were originally tipped off in April of that year, when a customer they were working with or I guess when their threat intelligence identified data stolen from one of their customers at that point in time, they contacted them for victim notification did some investigation, and ultimately determined that it was a stolen credential that was likely leaked with info stealer malware they had in May 2024. So a month later identified a broader campaign, they said, where they so far have identified and notified 165 organizations that are potentially exposed to this campaign. But they did note that they found no evidence that snowflakes own enterprise network was compromised. And every incident that they've investigated was traced back to a compromised customer credential. And almost always with no multi factor authentication, protecting that credential. And some of them dated back to breaches or info steal, or malware from Even 2020 was the earliest one they found. So pause there for a second, where if you're a enterprise organization, and you don't have MFA for something like this, that feels like mistake number one. And, yeah, for sure.

Corey Nachreiner  16:53  
I mean, I do think SAS vendor mistake number one is not making MFA default. But I have to admit, we still don't even do that in WatchGuard cloud, even though we have a free account, because it's hard to do without getting users revolting. But if your SAS vendor, whatever it is, if any external vendor you share sensitive data with has MFA, it makes no sense not to turn it on, you should turn it on period, I would love to see it being on by default. There are by the way, caveats, like we jokingly went past snowflake just being a data lake and we didn't describe it well. But when you hire a cloud data lake like snowflake, it's not just to put your data there randomly. It's supposed to be there for retrieval from other applications. So you're going to have API integrations and other things with snowflake to so absolutely agree with you, these customers should have enabled snowflakes MFA, I bet you and based on their own blog post snowflake might consider making MFA default, but no matter what they're going to have service account issue, like a service account is a non interactive non human account. And MFA is an option there, we can or may or may not get into that in more detail if you want Marc. But service accounts are the one, when you have these cloud services, a lot of the time it's not people logging on to them. It's other applications you've designed to interact with them. So that adds a whole nother level of complexity.

Marc Laliberte  18:25  
Let's talk about some of the protections you can do for that though. So like snowflake even released a hardening guide to early on during this investigation. And they pointed to, like network allow lists as a good way to help handle service accounts where maybe if you cannot enable MFA, at least you can prevent someone that steals that credential from being able to log straight in from anywhere in the world. And that's where we're using like network ACLs. So restricting based off IP address can really help secure those types of maybe not secure the account but at least limit the damage if someone does compromise one of those credentials. Yeah,

Corey Nachreiner  19:03  
I'm trying to find them they have a snowflake has a lot of best practices on the best ways. And I think many of these who existed before that breach on how to authenticate to them. I'm not finding it as quickly as I could want to. But there's a two part series one that talks about how hackers break into accounts using different types of credential theft. But then the follow up was how you can secure service accounts with things like key pairs or OAuth instead. Yeah,

Marc Laliberte  19:33  
so let's speaking of breaking into accounts, let's pivot to that wired story now to where they actually went out and got in contact with someone from shiny hunters to ask about the ticket master breach themselves itself. And the shiny hunters member actually claimed that their original access came by going after a firm called EPAM systems, which is basically a contractor that had access to Ticketmaster and other victim organ as Asians to and they claim that they compromised that Ukrainian EPAM systems employees laptop with info stealer malware through a spear phishing attack. And that through that they found unencrypted usernames and passwords that were used to manage EPAM systems, customers snowflake accounts, including ticket master, they claimed they found it and like their JIRA ticketing system, and exfiltrated those and then use them to access the customers. They even gave a list of what appeared to be a PAM worker credentials from their own internal Active Directory server as proof that they had a inside on that organization. But EPAM came back to Wired when they requested for comment saying they think the attacker is making all of that up. And it gets kind of interesting in here. So wired contacted another like independent security researcher or was working with one at least, and specifically a unnamed researcher that's been helping negotiate the ransomware interactions between shiny hunters and victims of this snowflake campaign. Net researcher pointed wired to a underground forum where they had credentials from a Ukrainian EPAM employees machine that were stolen with info stealer malware, and a URL that pointed to ticketmasters snowflake account as well, just on this underground form. And so it's possible that maybe the truth is somewhere in the middle here.

Corey Nachreiner  21:24  
I pulled down the article, but I think I also remember that wired forward that you know, after II Pam's President denied that had anything to do with them. They forwarded that underground list to the public relations people and didn't get a reply.

Marc Laliberte  21:41  
That's the Oh crap. Response to comment.

Corey Nachreiner  21:47  
It's interesting. He she said, she said I don't lean on trusting thread actors even. I mean, I don't know whether foreign people that run a former gray hat or black hat, it seems striking hunters are pretty darn black. What am I talking about? But either way, while I don't trust them, I mean, if they're showing you image like like, they don't always like so. I think it's and Mandiant also is finding data that there were credentials involved both sides.

Marc Laliberte  22:18  
I feel like the truth is there probably was info stealer malware. And I think the less likely truth is that like shiny hunters were the ones that placed it there since typically their method of operation is go and buy or find credentials on the underground. And usually they

Corey Nachreiner  22:33  
run the underground where other people post ranchos to so they can get access to them in some ways. They may even be if they're the moderators of the forum. Sometimes the moderators have to validate the sellers files are legit, so they may even have unpaid for access to some of the samples.

Marc Laliberte  22:49  
So my I feel like a more likely scenario is they found them they were valid, they use them, but now they're trying to like claim credit for being the ones that actually pop them to and that sounds like something a threat actor with their history would potentially do. But so like main takeaways from this was does not look like snowflake themselves were compromised. This is just a big credential stuffing attack or not even credential stuffing like valid credentials found from info stealers being using

Corey Nachreiner  23:19  
a credential attack even. So sure, MFA man. Yeah,

Marc Laliberte  23:26  
MFA or like SAML authentication to something that does support MFA is definitely the way to secure this type of account. And

Corey Nachreiner  23:33  
for service accounts if think about alternate ways than just passwords. And if you must use a password for a service account, that's where you need to break out your real passwords. And by real passwords, I mean, 32 random characters that you can never remember. And you store in a vault that only people with the ability to test service accounts are able to get to. You

Marc Laliberte  23:56  
mean not in a text file on your desktop to make it easy the next time you want to deploy your

Corey Nachreiner  24:00  
app. Yeah, and not not a password that says snowflake, 123. bang for your API. I'm

Marc Laliberte  24:09  
actually very interested I'll have to do some more digging to see what some of these credentials actually were. And if they were just as garbage is that

Corey Nachreiner  24:16  
I am making it up for the hopefully no one uses a service account password that way. But we just history says that, potentially. Yes.

Marc Laliberte  24:28  
So I guess Yeah, your snowflake customer turn on MFA yesterday. So the last story for today is a bit of an update to a saga that's been ongoing for a while now. So last summer, probably remember both MGM and Caesars Entertainment suffered pretty massive ransomware attacks, one of them paying and restoring services a little bit quicker, one of them not paying and restoring services quite a bit later. Those ransomware attacks were carried out by a combination of altfi or blackcat, which is The ransomware as a service operator, and scattered spider, which was the affiliate that gained access and deployed that ransomware. So, MGM if you remember scattered spider, they claim they social engineered the casinos both of them in order to gain their access. In the MGM case, they actually went after and found employees on LinkedIn first and then call them claim are called into MGM IT team claiming to be one of those employees needing assistance to get into their accounts, ultimately leverage that into root access to their Okta and as their tenants. When MGM noticed the activity, they disabled those Aqua servers, which brought down all their services, but scattered spider already had their access and deployed ransomware to 100 Different victims, they're well, scattered spider, the head of the organization was arrested in Spain just a couple of weeks ago. And a couple of things stood out to me for this first off, it was a UK national and you don't typically I, you know, I'm gonna backtrack that. lately. It does feel like we've seen a lot of folks from what I've considered like Western countries that normally. Okay, let me pause for a second. So normally when you see like threat actors like black cat, or Alfie themselves, they're typically based out of Russia or even Ukraine, or some your Eastern European country where they're a little more lax on enforcing international cybercrime laws. You typically don't see them It feels like out of like the US or the UK where, like the FBI can literally walk up to your house and arrest you. So it's surprising finding the leader of a pretty big social engineering organization actually be from the United Kingdom. Now the reason I wanted to walk that back originally though, because remember, oh man, who were the ones that went after Rockstar, and Uber and Microsoft, just a year and a half ago or so that ended up being like a 16 year old kid out of like Oxford, United Kingdom, Marcus Hutchins, not Marcus Hutchins, but that is an example of a our author, Rockstar hack. Kid was lapses. That's the one I'm looking for. For that was a group based out of the UK and they did get arrested. So I guess this isn't the only example of that. But anyways, this is a success story for international law enforcement bringing down the head honcho for one of these organizations. And it looks like there may have been a pretty big lapse and OpSec for this individual.

Corey Nachreiner  27:50  
Yeah, I will say by the way, you know, 27 million is still a lot of money for a Western like a You're right. westerns have more laws around cybercrime and more democratized Western countries have less blind eye towards cybercrime. But just to not get off the subject of Western I think there are plenty of American and UK hackers black hat to AI but more lately state sponsored stuff seems to be in other countries but I think cybercrime especially the more scammy crap, I like, I feel like I sometimes have seen a lot of like 40 year olds in Florida that isn't aren't doing super technical hacking, but are doing the more scammy cybercrime. But anyways, it's 27 million, there's criminals everywhere. We obviously have a bias against nation state hacking, and for that I don't think we like I think it's authoritarian states that tend to turn a blind eye to, to other cybercrime to push their state sponsored stuff. But as much as we talked about China, North Korea, Russia and Brazil being hotspots us is has been traditionally and even now probably still a hotspot. So it seems,

Marc Laliberte  29:07  
risk more significant.

Corey Nachreiner  29:09  
Do you think you're right, the risk is higher here. So what you're about to get to your OpSec better be darn good. You'd be better be proxying to not come from the US and doing multiple proxies to try to hide from our authorities, but maybe

Marc Laliberte  29:24  
not using your name for your handle on your underground telegram channel. So that was what I wanted to point out. So his name as outed by Brian Krebs was Tyler Buchanan. And it turns out his username he was using on underground sim swapping telegram channels was Tyler B. Which like that definitely

Corey Nachreiner  29:45  
immediately underground is not like VX undergrad, I follow them on Twitter. They release all kinds of like they're known share malware with the community for the good guys. So I'm sure you We can talk about bad things like Simba, even the good guys things talk about how sim swapping works to protect against it. But I wouldn't consider VX underground, a malicious underground.

Marc Laliberte  30:10  
The telegram channel that he was on though, was that one we even had a leaderboard where they would list like of their members who's like the highest ranking number one through 100 of like number of victims for for sim swapping attacks. And both Tyler B and one of his accomplices were listed on there too. So I guess one of their other accomplices was arrested in January out of Florida, so US national there as well. After he stole $800,000 from victims over the last year or so, he went by the nickname Sosa on underground forums. And this uh, this Krebs article that you're highlighting, actually, at the end had a really interesting bit about some of the just super sketchy stuff that goes on in these underground forums and these underground marketplaces. So apparently, there's an entire what do they call it violence as a service offering that some other competitors I guess you would call them in this sim swapping space we're using to go after some of these folks from scattered spider. So there's a story where, like Tyler Sosa, the his accomplice, had a brick thrown through his window or the window of his parents house, and the video of that was recorded and posted online as like a threat to them. There was a member of Sosa's crew was actually kidnapped, beaten and held at gunpoint, and then ransom for $200,000 worth of bitcoin. After buy one of these violences is service offerings. Tyler Buchanan, the guy that was just arrested, his home was broken into and 2023 His mother was assaulted. And he was threatened with a blowtorch if he didn't give up his cryptocurrency wallets, which is why he ended up fleeing to Spain in this case, this is absolutely insane. This is some like movie stuff out of there that I it's, I mean, I assume that

Corey Nachreiner  32:08  
you steal 27 Bill million, and you and you're known to have that much in your public wallet. And the people who know or other people that are members. Like I why would why would you be surprised that criminals especially when we talk about how organized crime has attached themselves to cyber crime as a they may not have the expertise but they recruited and then they can use their traditional violence mobster activities to take the money from the people there.

Marc Laliberte  32:44  
Personally glad I chose the white hat side of things. Yeah,

Corey Nachreiner  32:47  
nothing too much risk. I would like to get rid of some rich legitimately. Not in that sort of way.

Marc Laliberte  32:56  
So either way like this, he was the alleged ringleader from this social engineering organization has had a lot of damages over the years like they were responsible for the octave breaches from last year that ended up impacting victims like Twilio, LastPass, DoorDash, MailChimp, in fact, that LastPass breach is the one that ended up with a pretty massive one in November of 2022, where they basically gained access to everyone's password vaults and caused a lot of damages for LastPass. So they were pretty great at what they did, in terms of social engineering paired with SIM swap is Sim swapping involves social engineering. So I for one, I'm glad that they were able to get arrested and will soon be held for justice. Somewhere in the world, whether it be the UK or the US. I imagine the US is going to want to fight to extradite them for going after so many US private organizations. But, man, crazy, absolutely crazy. I being held with a blowtorch to give up your cryptocurrency wallets is terrifying.

Corey Nachreiner  33:59  
When he doesn't have to worry about it because he'll be in jail. I'm sure no one will try to beat him up there, he won’t have his crypto wallet.

Marc Laliberte  34:07  
This does typically the FBI does a good job of seizing cryptocurrency wallets from people that are arrested. And so it's possible that victims may get some restitution at some point from some of those events sin but either way, man, crazy week, absolutely crazy week and looking for it. Well, no, I'm not looking forward. I hope we have a nice calm week next week where absolutely nothing happens. And we can actually just relax for a little bit. Oh, you're gonna be off next week. Lucky you. I'm the one dealing with a house on fire. Sorry.

Corey Nachreiner  34:40  
I need one week. Hey, let's be honest here. You're dealing with the house on fire for me. So it's not like you don't run the sock with your team.

Marc Laliberte  34:51  
And to be clear house on fire doesn't always mean house on fire. It's just tough not to feel stressed in the space that we're in. Yep, So enjoy your week off Korea. You have definitely earned it and I

Corey Nachreiner  35:04  
will grab them soon, I'm sure.

Marc Laliberte  35:08  
Thank you. Yes, hopefully someday everyone Thanks again for listening. As always, if you enjoyed today's episode, don't forget to rate review and subscribe. If you have any questions on today's topics or suggestions for future episode topics, keep them to yourself. I mean, you can reach out to us on Instagram. We're at WatchGuard underscore technologies. Thanks again for listening and you will hear from one of us next week.

Transcribed by https://otter.ai