Paul Ducklin talks to world-renowned cybersecurity knowledgeable Fraser Howard, Director of Analysis at SophosLabs, on this fascinating episode, recorded throughout our latest Safety SOS Week 2022.
Relating to preventing cybercrime, Fraser actually is a “specialist in the whole lot”, and he additionally has the knack of explaining this difficult and treacherous topic in plain English.
[ROBOT VOICE: Sophos Security SOS]
PAUL DUCKLIN. Whats up, everyone.
Welcome to the Sophos Safety SOS week.
As we speak’s matter is: Stopping cyber threats – cease them earlier than they cease you!
And our visitor right now is none aside from Mr. Fraser Howard, Director of Analysis at SophosLabs.
Now, these of you who’ve listened to SOS Week earlier than will know that I like to explain Fraser as a “specialist in the whole lot”, as a result of his data isn’t just broad, it is usually extremely deep.
He ticks each cell within the spreadsheet, you possibly can say.
So, Fraser, welcome again to the SOS Week.
I needed to begin by specializing in one thing that goes by the identify of LOLBIN, which I imagine is brief for “living-off-the-land binary”, which is jargon for software program that’s there already that the cooks love to make use of.
FRASER HOWARD. Precisely that.
DUCK. And the large drawback in the intervening time appears to be that the most probably LOLBIN, or the most probably pre-installed program that the crooks will dine out on, for need of a greater phrase, is nothing aside from PowerShell, which is constructed into Home windows.
It’s obtainable on each model of Home windows as quickly as you put in it.
And it’s the medium of administration today for Home windows itself.
So how do you reside with out it?
FRASER. Precisely – similar to you described, from the attackers’ perspective, LOLBINs are good.
They both convey their very own knife to the struggle, and their knife may look very totally different to the whole lot else that’s on the system…
…or they use a knife that simply occurs to be current on the system within the first place.
And that’s advantageous to the attacker, for apparent causes.
Any safety software program gained’t see some model new, shiny, unknown software immediately being run and utilized in a part of the assault.
However instruments like PowerShell are already there – that’s when the video games start when it comes to attempting to work out, “Is it one thing good, or is it one thing dangerous?”
I want there was a one-line reply to how we detect malicious PowerShell versus benign, however really it’s fairly a posh scenario.
What precisely is the PowerShell course of doing itself?
On one finish of the spectrum, you possibly can use know-how like, for instance, software management.
And as an admin, you possibly can select: “PowerShell, you shouldn’t be allowed to run in my setting.”
That’s form of a panacea, when you like, and it could cease PowerShell being abused, however it could additionally break a number of respectable exercise, together with the core administration of most Home windows machines right now.
DUCK. OK, so software management is Sophos’s identify for the flexibility to detect, and optionally to dam, software program that’s not malware, however {that a} well-informed administrator may not wish to assist of their setting?
FRASER. Precisely.
And it’s not nearly admins and their selection of “Which software ought to my customers be allowed to make use of?”
It’s about fundamentals.
If you concentrate on safety, what’s one of many issues that we’ve been telling individuals for the final 5 or 10 years?
“Patch!”
In the event you’re an administrator and also you’re permitting anyone to make use of no matter software they need for his or her browser, that’s perhaps 5 to 10 totally different browsers that you need to patch.
Really, for admins, applied sciences like software management allow them to slender that risk floor.
DUCK. However PowerShell… some individuals say, “Oh, simply block PowerShell. Block all .PS1 information. Job executed.”
FRASER. It’s not fairly so simple as that!
DUCK. May a sysadmin handle with out PowerShell in a contemporary Home windows community?
FRASER. [PAUSE] No.
[LAUGHTER]
I imply, there are coverage choices that they may select to solely permit sure signed scripts, for instance, to be run.
However there’s an entire number of suggestions and strategies that the attackers know that attempt to bypass these mechanisms as properly.
A number of the older scripting engines… one of the best instance is Home windows Scripting Host – most individuals don’t comprehend it’s there.
It’s not the one-stop store for admin that PowerShell is, however WSCRIPT and CSCRIPT…
…these binaries, once more, are on each single Home windows field.
They’re much more possible to outright block, and so they get abused, once more by malware.
DUCK. So the Home windows Scripting Host consists of issues like JavaScript (not working in your browser, exterior your browser), and good outdated Visible Fundamental Script?
FRASER. There’s an entire host of them.
DUCK. Now, Visible Fundamental script is discontinued by Microsoft, isn’t it?
Nevertheless it’s nonetheless supported and nonetheless very broadly used?
FRASER. It’s highly regarded with the Unhealthy Guys, sure.
And it’s not simply scripting engines.
I can’t keep in mind precisely what number of binaries are on a number of the most important LOLBIN lists which are on the market.
With the fitting mixture of switches, hastily, a binary that you simply may use to handle, for instance, certificates domestically…
…really can be utilized to obtain any content material from a distant server, and reserve it to disk domestically.
DUCK. Is that CERTUTIL.EXE?
FRASER. Sure, CERTUTIL, for instance.
DUCK. As a result of that can be used to do issues like calculate file hashes.
FRASER. It could possibly be used to obtain, for instance, base64-encoded executable content material, reserve it domestically, and decode it.
After which that content material could possibly be run – as a manner of doubtless getting by your internet gateways, for instance.
DUCK. And that will get even worse with PowerShell, doesn’t it?
As a result of you’ll be able to take a base64-encoded string and feed that into PowerShell because the enter script, and it’ll quietly decode it for you.
And you may even put in a command line possibility, are you able to not, to say, “Hey, if the person mentioned ‘don’t permit scripts to execute from the command line’, ignore it – I want to override that”?
FRASER. You talked about .PS1 information.
That’s a bodily script file that may exist on disk.
Really, PowerShell is fairly adept at doing issues filelessly, so simply the command line itself can include everything of the PowerShell command.
DUCK. Now, my understanding is most so-called “fileless malware” does contain information, most likely numerous information in its operation…
…however there shall be a key level at which one thing you may detect *solely exists in reminiscence*.
So, safety software program that’s solely in a position to monitor disk entry will miss out.
How do you take care of that form of scenario, the place the crooks have gotten all this semi-suspicious stuff, after which they’ve disguised the actually harmful bit with this fileless, memory-only trick?
How do you take care of that?
FRASER. One of many methods we take care of that, significantly with regard to PowerShell, is Microsoft supplies an interface which provides us visibility into the behaviour of PowerShell.
So AMSI is an interface which distributors, safety distributors, can use to get a peep into malware.
DUCK. AMSI is… Anti-Malware Scanning Interface?
FRASER. Precisely.
It offers us a window into the behaviour of PowerShell at any cut-off date.
So, because it could be doing issues filelessly… any conventional interception factors that are searching for information on disk, they gained’t be coming into play.
However the behaviour of PowerShell itself will generate exercise, when you like, inside the AMSI interface, which provides us the flexibility to recognise and block sure forms of malicious PowerShell exercise.
The opposite factor is that, though “fileless” is seen as a little bit of a panacea for the dangerous guys…
…really, one of many issues that the majority attackers are after sooner or later is what we name persistence.
OK, they’ve obtained some code working on the machine… however what occurs if that machine is restarted?
And so their fileless malware usually will search to have add some degree of persistence.
So, a lot of the fileless assaults that we’ve seen really engage, usually with the Home windows Registry – they use the registry as a manner of reaching persistence.
Usually, they put some kind of BLOB [binary large object] of knowledge within the registry, and modify some registry keys such that such that when that machine is restarted, that BLOB is decoded and malicious behaviour carries on once more.
As we speak’s merchandise are all about an entire vary of applied sciences, from easy, proper by to fairly terribly advanced.
DUCK. That additionally helps to elucidate why individuals take information which are kind-of the precursors of malware, however not overtly malicious themselves, add them to a web based service like, say, Virus Complete…
…and go, “Hey, no one detects this. All safety merchandise are ineffective.”
Nevertheless it doesn’t imply that file can spring into life and begin doing dangerous stuff with out getting stopped…
FRASER. That’s an excellent level.
I believe it’s one thing the safety business has tried… however the truth that we nonetheless speak about it – we’ve most likely didn’t get this level throughout:
What’s safety?
What can we really imply?
What does defending somebody in opposition to a risk usually imply?
Most individuals have a tendency to think about it like this… OK, they’ve a risk; they need a file that’s “the risk”; and so they wish to see if that file will get detected.
However that exact assault… let’s suppose it’s a bot.
There could be 10,000 of these information *each single day*, because the dangerous guys flip their deal with and churn out a number of totally different replicas which are basically all the identical primary factor.
And so the truth that 1, or 10, or 100 of these information will get detected…
…it doesn’t actually inform you very a lot about how properly a product may defend in opposition to that risk.
DUCK. “Bot” means software program robotic?.
Primarily, that’s one thing that sits in your pc often, calling dwelling or polling some random server?
FRASER. Precisely.
DUCK. That server might change from each day… and the bot will regularly obtain a listing of directions, comparable to “Right here’s a listing of e mail addresses to spam.”
Subsequent, it could possibly be, “Here’s a record of file extensions I would like you to scramble”, or it could possibly be “Activate the keylogger”?
FRASER. Precisely.
DUCK. Or “Take a screenshot proper now, they’re within the banking app”.
It’s basically an energetic backdoor…
FRASER. It *is* a backdoor, sure.
And we spoke about backdoors 20 years in the past… I keep in mind doing buyer displays 20 years in the past, speaking about backdoors.
DUCK. “Again Orifice”, when you keep in mind…
FRASER. Sure, sure!
We had been attempting to persuade clients that, really, a variety of the backdoors on the market had been extra necessary than the high-profile malware of the day.
What you don’t wish to get contaminated with are the backdoors, which permit some miscreant someplace the flexibility to regulate your machine and do dangerous stuff, comparable to take a look by your file system, or modify information in your system.
That’s a much more horrifying risk than, for instance, a self-replicating worm that simply spreads from pc to pc.
That may get the press, and it’d trigger issues in and in and of itself…
…however, really, any person accessing your system is arguably a a lot greater risk certainly.
DUCK. And considering again to Again Orifice in… what was it 1999? 2000?
That famously it listened on port 13337, didn’t it?
FRASER. You’ve obtained a superb reminiscence [LAUGHS]… sure, “elite”!
DUCK. And as quickly as individuals began getting onto DSL connections at dwelling, and having a house router, Again Orifice was ineffective as a result of inbound connections didn’t work.
And so individuals thought, “Oh, properly, backdoors depend on inbound community connections – I’m protected by my ISP by default, so I don’t have to fret about it.”
However right now’s zombies, right now’s bots – they name dwelling utilizing some form of encrypted or secretive channel, and so they *obtain* the directions…
FRASER. And since it’s on HTTPS, they mainly cover that community exercise amongst the million-and-one different internet packets that exit each minute on most dwelling connections.
DUCK. In order that’s another excuse why you need defence-in-depth or layered safety?
FRASER. Sure.
DUCK. Clearly, new information – you wish to look at them; you don’t wish to miss malware that you possibly can have detected.
However the file could possibly be harmless in the intervening time, and it may become rogue after it’s loaded; after it’s manipulated itself in reminiscence; after it’s known as out and downloaded stuff…
FRASER. And so, to get again to the unique level: how we measure safety merchandise right now is extra advanced than it ever has been.
DUCK. As a result of some individuals nonetheless have the concept, properly, when you actually wish to take a look at a product, you simply get a large bucket filled with malware, all in information…
FRASER. Commmonly known as “a zoo”.
DUCK. …and you set that on a server in isolation someplace.
You then scan it with a static scanner, and also you learn the way many it detects, and that tells you the way the product behaves.
The “Virus Complete” method.
However that: [A] will are inclined to underestimate good merchandise, and [B] may overestimate dangerous merchandise.
FRASER. Or merchandise that specialize in detecting information solely, for the aim of primarily trying good in these kind of zoo-based exams.
That doesn’t translate to a product in the actual world that may really present good ranges of safety!
In actuality, we block information… after all we do – the file remains to be an important foreign money, when you like, when it comes to safety.
However there’s a number of different issues, for instance just like the AMSI interface that lets us block malicious PowerShell exercise, and a program’s behaviour itself.
So, inside our product, the behavioural engine seems to be on the behaviour of processes, community, site visitors, registry exercise…
…and that mixed image lets us spot probably malicious behaviour for the aim of blocking not essentially a selected household, or perhaps a specific form of form of risk, however simply *malicious exercise*.
If there are specific forms of behaviour that we will decide are simply outright malicious, we are going to usually try to block that.
We will block a sure kind of malicious behaviour right now, after which a risk household that has not even but been written – in three months time, it’d use that very same behaviour, and we are going to proactively detect it.
In order that’s the Holy Grail of what we do: proactive safety.
The power for us to write down one thing right now that sooner or later will efficiently block malicious behaviour.
DUCK. I suppose a superb instance of that, to return to what we talked about earlier than, is CERTUTIL.EXE – that certificates validation utility.
You could be utilizing that in your individual scripts, in your individual sysadministration instruments, but there are some behaviours that you wouldn’t count on, though that program could be made to do these issues.
They might stand out.
FRASER. They might stand out, precisely.
DUCK. So you’ll be able to’t say, “This system is dangerous”, however sooner or later in its behaviour you’ll be able to go, “Aha, now it’s gone too far!”
FRASER. And that touches on one other attention-grabbing side of right now’s panorama.
Traditionally, EVIL.EXE runs; we’d detect the file; we’d detect some malicious behaviour; we clear it out of your system.
You spoke about LOLBINs… clearly, after we detect PowerShell doing one thing malicious, we don’t take away POWERSHELL.EXE from that system.
DUCK. “Ooh, I discovered Home windows doing one thing dangerous – wipe the entire system!”
[LAUGHTER]
FRASER. We mainly block that course of; we cease that course of doing what it was about to do; and we terminate it.
However PowerShell nonetheless exists on the bodily system.
Really, right now’s attackers are very totally different from yesterday’s attackers as properly.
As we speak’s attackers are all about having a objective; having a goal.
The outdated mannequin was extra spray-and-pray, when you like.
If any person blocks the assault… dangerous luck, they provide up – there’s no human presence there.
If the assault works, information is stolen, a machine turns into compromised, no matter it occurs to be, but when the assault was blocked, nothing else occurs on the system.
In right now’s assaults, there really is way more of a human component.
So, usually, in a variety of assaults we see right now – that is typified by a number of the ransomware assaults, the place the crooks are particularly attempting to focus on sure organisations with their ransomware creations…
…when one thing is blocked, they struggle once more, and so they carry on retrying.
As we’re blocking stuff, and blocking various kinds of malicious behaviour, there’s one thing behind the scenes; some *individual* behind the scenes; some risk group behind the scenes, retrying.
DUCK. So 10 or 15 years in the past, it was, “Oh, we discovered this brand-new, beforehand unknown Phrase malware. We’ve deleted the file and cleaned it up, and we wrote it within the log”.
And everybody goes into the assembly, and ticks it off, and pats one another on the again, “Nice! Job executed! Prepared for subsequent month.”
FRASER. Now, it’s very totally different.
DUCK. As we speak, *that wasn’t the assault*.
FRASER. No!
DUCK. That was only a precusor, an “I ponder what model of smoke detectors they use?” form of take a look at.
FRASER. Precisely.
DUCK. They usually’re not planning on utilizing that malware.
They’re simply attempting to guess precisely what safety have you ever obtained?
What’s turned on; which directories are included; which directories are excluded out of your scanning; what ambient settings have you ever obtained?
FRASER. And what we speak about right now is energetic adversaries.
Lively adversaries… they get a number of press.
That’s the idea of the entire MITRE ATT&CK framework – that’s is basically a bible, a dictionary, when you like, of combos of techniques.
The techniques are the verticals; the horizontals are the strategies.
I believe there are 14 techniques however I don’t know what number of strategies… lots of?
DUCK. It may be a bit dizzying, that MITRE grid!
FRASER. It’s basically a dictionary of the various kinds of issues, the various kinds of approach, that could possibly be used on a system for good or dangerous, basically.
Nevertheless it’s basically aligned to attackers and energetic adversaries.
In the event you like, it’s a taxonomy of what an energetic adversary may do when on the system.
DUCK. Proper, as a result of within the outdated days (you and I’ll keep in mind this, as a result of we each frolicked writing complete malware descriptions, the form of issues that had been vital 15 or 20 years in the past – you had been speaking about EVIL.EXE)…
…as a result of most threats again then had been viruses, in different phrases they unfold themselves and so they had been self-contained.
As soon as we had it…
FRASER. …you possibly can doc, A-to-Z, precisely what it did on the system.
DUCK. So a variety of malware again in these days, when you have a look at how they hid themselves; how they went into reminiscence; polymorphism; all that stuff – a variety of them had been much more sophisticated to analyse that stuff right now.
However when you knew the way it labored, you knew what each technology may appear to be, and you possibly can write a whole description.
FRASER. Sure.
DUCK. Now, you simply can’t try this.
“Properly, this malware downloads another malware.”
What malware?
“I don’t know.”
FRASER. For instance, take into account a easy loader: it runs; it periodically connects out.
The attacker has the flexibility to fireside in some kind of encoded BLOB – for instance, let’s suppose it’s a DLL, a dynamic hyperlink library, a module… basically, some executable code.
So, “What does that risk do?”
Properly, it relies upon precisely and completely on what the attacker sends down the wire.
DUCK. And that would change daily.
It may change by supply IP: “Are you in Germany? Are you in Sweden? Are you in Britain?”
FRASER. Oh, sure we see that very often.
DUCK. It may additionally say, “Hey, you already linked, so we’ll feed you NOTEPAD or some harmless file subsequent time.”
FRASER. Sure.
The attackers usually can have strategies they use to try to spot when it’s us [i.e. SophosLabs] attempting to run their creation.
In order that they don’t feed us what could be the final word payload.
They don’t need us to see the payload – they solely need victims to see that payload.
Generally issues simply exit quietly; generally they only run CALC, or NOTEPAD, or one thing clearly foolish; generally we’d get a impolite message popping up.
However usually they’ll try to hold again the final word payload, and reserve that for his or her victims.
DUCK. And that additionally means…
…I glibly used the phrase “polymorphism” earlier; that was quite common in viruses again within the day, the place each time the virus copied itself to a brand new file it could mainly permute its code, usually in a really sophisticated manner, even rewriting its personal algorithm.
However you possibly can get the engine that did the scrambling.
FRASER. Sure.
DUCK. Now, the crooks hold that to themselves.
FRASER. That’s on a server someplace else.
DUCK. They usually’re turning the deal with within the background.
FRASER. Sure.
DUCK. And in addition you talked about loaders – individuals might have heard of issues like BuerLoader, BazaarLoader, they’re kind of well-known “model names”…
..in some circumstances, there are gangs of crooks, and that’s all they do.
They don’t write the malware that comes subsequent.
They simply say, “What would you want us to load? Give us the URL and we’ll inject it for you.”
FRASER. The unique bot operators from 15 or 20 years in the past – how did they generate income?
They compromised networks of machines – that’s basically what a botnet is, a number of machines underneath their command – after which they may mainly lease out that “community”.
It could possibly be for distributed denial of service – get all of those contaminated machines to hit one internet server for instance, and take out that internet server.
It could possibly be fairly generally for spam, as you’ve already talked about.
And so the pure evolution of that, in some sense, is right now’s loader.
If any person has a system contaminated with a loader, and that loader is asking dwelling, you basically have a bot.
You might have the flexibility to run stuff on that machine…
…so, similar to you say, these cybercriminals don’t must be involved with what the final word payload is.
Is it ransomware?
Is it information theft?
They’ve a car… and ransomware is nearly the ultimate payout.
“We’ve executed the whole lot we needed to do.” (Or we failed in the whole lot else we had been hoping to do.)
“Let’s simply attempt ransomware…”
DUCK. “We’ve logged all of the passwords now, there are not any extra to get.” [LAUGHS]
FRASER. There’s nowhere else to go!
DUCK. “We’ve stolen all the info.”
FRASER. Precisely… the ultimate cash-out is ransomware!
At that time, the person is conscious, and the directors conscious, there’s information loss.
So, right now’s loader is nearly an extension of, an evolution of, yesterday’s bot.
DUCK. Fraser, I’m acutely aware of time…
So, given that you simply’ve painted an image that clearly requires full-time work, full-time understanding – you’re an knowledgeable researcher, you’ve been doing this for years.
Not everyone may give up their day job in IT or sysadministration to have *one other* day job to be such as you within the organisation.
In the event you needed to give three easy suggestions for what it is best to do (or what you shouldn’t do) right now to take care of what’s a extra sophisticated, extra fragmented manner of attacking from the crooks – one that provides us many extra planes on which we have to defend…
… what would these three issues be?
FRASER. That’s a tricky query.
I believe the primary one must be: having consciousness and visibility into your organisation.
It sounds easy, however we very often see assaults the place the place to begin of an assault was an unprotected field.
So, you’ve got an organisation….
…they’ve a beautiful IT coverage; they’ve merchandise deployed throughout that community, correctly configured; they may have a staff of individuals which are looking ahead to all of the little sensors, and all the info getting back from these merchandise.
However they’ve a site controller that was unprotected, and the dangerous guys managed to get onto that.
After which, inside the entire MITRE ATT&CK framework, there’s one approach known as lateral motion…
…as soon as the attackes are on a field, they are going to proceed to attempt to laterally transfer from there throughout the organisation.
And that preliminary form of foothold offers them some extent from which they’ll try this.
So, visibility is the primary level.
DUCK. You additionally should know what you don’t know!
FRASER. Sure – having visibility into all of the gadgets in your community.
Quantity two is: configuration.
This can be a little bit of a thorny one, as a result of nobody likes to speak about insurance policies and configuration – it’s frankly fairly boring.
DUCK. It’s form of necessary, although!
FRASER. Completely essential.
DUCK. “In the event you can’t measure it, you’ll be able to’t handle it,” because the outdated saying goes.
FRASER. I believe my one advice for that might be: if in any respect potential, use the beneficial defaults.
As quickly as you deviate away from beneficial defaults, you’re usually both turning stuff off (dangerous!), otherwise you’re excluding sure issues.
DUCK. Sure.
FRASER. For instance, excluding a selected folder.
Now, that could be completely acceptable – you may need some customized software in it, some customized database software the place you say, “I don’t wish to scan information inside this specific folder.”
It’s not fairly so good when you’re excluding, for instance, the Home windows folder!
DUCK. “Exclude C:*.* and all subdirectories.” [LAUGHS]
FRASER. It’s.
DUCK. You add one, you add one other, and then you definately don’t go and overview it…
…you find yourself the place you mainly have all of the doorways and all of the home windows propped open.
FRASER. It’s a bit like a firewall.
You block the whole lot; you poke a couple of holes: wonderful.
You retain on poking holes for subsequent three years, and earlier than you already know the place you’re…
…you’ve got Swiss cheese as your firewall.
[LAUGHTER]
It’s not going to work!
So, configuration is de facto necessary, and, if in any respect potential keep on with the defaults.
DUCK. Sure.
FRASER. Follow defaults, as a result of… these beneficial defaults – they’re beneficial for a cause!
Inside our personal merchandise, for instance, once you deviate from defaults, very often you’ll get a crimson bar warning that you simply’re mainly disabling safety.
DUCK. In the event you’re going to go off-piste, be sure to actually meant to!
FRASER. Be sure to have good visibility.
And I assume the third level, then, is: acknowledge the ability set required.
DUCK. Don’t be afraid to name for assist?
FRASER. Sure: Don’t be afraid to name for assist!
Safety is advanced.
We like to think about it’s easy: “What three issues can we do? What easy issues can we do?”
Really, the truth is that right now’s safety may be very sophisticated.
Merchandise may attempt to package deal that up in a reasonably easy manner, and supply good ranges of safety and good ranges of visibility into various kinds of behaviour occurring in a community.
However when you don’t have the ability set, or the useful resource for that matter, to work although the occasions which are coming in and hitting your dashboard…
…discover somebody that does!
For instance, utilizing a managed service could make a large distinction to your safety, and it will possibly simply take away that headache.
DUCK. That’s not an admission of defeat, is it?
You’re not saying, “Oh, I can’t do it myself.”
FRASER. We’re speaking 24 x 7 x 365.
So, for somebody to try this in-house is a large endeavor.
And we’re additionally speaking about advanced information – and we spoke about energetic adversaries, and that kind of assault.
We all know the Unhealthy Guys, even after we block stuff, will proceed to retry: they’ll change issues up.
A great staff which are that information will recognise that kind of behaviour, and they won’t solely know that one thing’s being blocked, these individuals will even suppose, “OK, there’s any person repeatedly attempting to get in by that door.”
That’s fairly a helpful indicator to them, and so they’ll take motion, and so they’ll resolve the assault.
[PAUSE]
Three fairly good items of recommendation there!
DUCK. Glorious, Fraser!
Thanks a lot, and thanks for sharing your expertise and your experience with us.
To everyone who’s listening, thanks a lot.
And it stays now just for me to say: “Till subsequent time, keep safe.”
[MORSE CODE]
