Latest Threats and Vulnerabilities to Mission-Critical SAP Applications

so sap is one of those things in it and especially security that you don't know about until all of a sudden you really have to know about it uh it's a critical part of erp and crm and plm and that whole alphabet soup of things the next talk comes to you from jp perez from onopsis who's going to be talking about the latest vulnerabilities in sap uh and how to think about the threats and how to make sure that your mission critical software uh continues to run in a ship shape fashion so jp take it away hello everyone thank you for joining me and thanks besides for having me here uh it's a an honor to be part of this

conference uh i'm really excited about the the content uh the topics that we're gonna cover um and and the demos that i'm gonna be doing uh of course i have uh some pre-recorded demos because you know that uh these things can fail so um that that works better but um i'm i'm happy to be here um we're gonna be covering some of the latest threats and vulnerabilities to mission critical sap applications um i'm gonna get into more of those details uh as we go through the slides um as from a very brief introduction i'm jp um actually my name is uh longer than that is but but it's harder to pronounce so let's go by jp that that

that works well um i'm cto one of the founders of onapsis and we do cyber security for erp applications for mission critical applications in general we started um a little bit more than 10 years ago doing vulnerabilities research pen tests and realizing hey there is a big problem in some of the largest and most critical applications uh for some of the the largest corporations in the world and that's why we we started reporting vulnerabilities and working with with a lot of organizations in order to secure uh these applications and parts of what we do is really identifying very very critical vulnerabilities that we work with vendors to to close and that's part of this the topics that

i'm going to be covering today right the uh not only the the critical vulnerabilities and why these are critical but also um how these vulnerabilities are being leveraged by threat actors today and that's uh that's really the the the core of the session today i would like to start by introducing to you what sap but more generally what an erp is because i'm gonna go interchangeable uh talking about sap erp crm applications sem all those acronyms that business people typically knows very well but for us let's say it security practitioners and really people that is used to working and speaking about vulnerabilities cba cbss exploits low-level stuff it's typically not not super common well most of the things that you do today you

go on and shop you you go and get a beer you get food you get let's say medicine you go to a doctor you take holidays pretty much everything you do involves activities that are going through erp applications erp applications are are those applications that are running some of the most critical business processes uh procurement hr um vendors customers purchase orders um a lot of those let's say business related concepts um in the end are business processes that are continuously running uh in in every organization um every company has one um there's no question about it maybe the really really small ones would have still some um spreadsheets or or some more simpler ways of managing those

processes but once you hit certain scale um and that we're not talking about just thousands several thousands yeah you once you go through um 50 100 users in a company you start automating all of those processes um financial processes customers um procurement processes sales well we can get into details of all of those but these are very very critical applications um just a quote from a cso of a fortune 500 organization if scp goes down it will cost my organization 22 millions per minute think about the cost of a simple downtime and if we translate that to technical terms like someone messing around with a with a denial of service on one of these applications

which are typically very complex built on top of proprietary protocols and many interfaces so the denial of service is something that could have a significant impact here and and we are talking about financially right um well uh the data itself is very critical there are many different angles that makes these applications unique and attackers know that and i'm going to show you how they are leveraging this i'm just giving you some more additional additional substance in terms of why these are critical well um erp applications are important because of processes or our business critical applications are critical of course as a name says but what is the attack surface here uh well 92 percent of global 2000

corporations that that's basically the 2000 biggest corporations in the world use sap or oracle to process their the most critical information 77 of the world's revenue touches one of these systems um and one in five enterprise applications are is sas based so there's a significant also push towards going to to the cloud not only cloud but sas applications and here we can see different areas of concern or responsibilities in terms of business critical applications we are talking about a gap and that's why we started as a company we're talking about a significant gap in terms of the the security of these applications because uh infosec doesn't know about them in terms of the technology that is

running it's a black box it operations doesn't know about security for these applications compliance is really looking for a fraction of these so all of these bills uh eventually leaving a significant security gap not only that but over time there are a lot of milestones and motions and initiatives in organizations that are further exposing these applications historically we could think about these erp solutions being in an isolated data center completely restricted to some users well that's changing significantly now it's uh most of these are some some in some way shape or form in the cloud and transformating uh through digital transformation processes evolving the technology being targeted of cyber attackers and we are talking about not only script

kiddies cyber criminals also state sponsored as well all of these are building their toolkits to be able to compromise these applications but all in all it's these applications are constantly changing as business are right organizations are adapting continuously to the ever-changing landscape i mean think about kobe right everyone had to rush move operate from work from home environments opening up changing the processes changing the dynamics customers vendors a lot of things change and this maps into those applications and that introduces additional risk as well but from a thread landscape perspective how does it look like well it's also another evolving um a trend right since we started we started in 2009 um and we have been

taking a look at the the different milestones uh what are the threat actors that have been focusing and and what is publicly available um and you see this is really getting a lot of momentum uh from from a milestones perspective um whenever you see a the the icon dhs us serve alert that's basically the sisa organization releasing an alert about either vulnerability or threat actors actively targeting these applications and this also continues to evolve in terms of the vulnerabilities that are affecting these applications the technology is so complex that there are always vulnerabilities some sometimes very critical that companies need to address and respond responds this year 2021 we have seen exploits available for different components of

the the sap applications specifically solman as well um we have seen sisa releasing an alert as well earlier this year because of ongoing threat activity um and this was partly released together by onaxis and sap in combination because it was research that we performed together in order to understand what are threat actors doing and that led to being highlighted by the dhs but i just wanted to cover also briefly who is behind all of these and this is the onapsis research labs this is a team of researchers globally distributed focusing on securing business applications they do research they analyze components they analyze implementations that of course they do pen tests as well but they they

implement a lot of research and that basically results in vulnerabilities and threats that are discovered and are integrated into our technology as well but really a lot of the vulnerabilities that are fixed by sap and oracle and other vendors in this business applications are coming from the onapsis research labs a leading organization in this area so i'm going to talk about uh the the core of this presentation and i think an executive summary would really provide visibility to what's coming so basically this is part of what we released together with sap and we wanted to be able to provide organizations i.t security practitioners and companies running erp applications information about how are threat actors targeting and focusing on erp

applications but specifically sap um wanted to be able to provide data points that highlight what are their ttps um what are the experts being used how are they connecting to these systems what are they going after and and all of these we were able to capture uh through uh the the research that we did together with sap and really identifying exactly what threat actors are doing today what this is not about and that's important also to to mention um this is not about zero days uh even though we typically the the analysis research labs present zero days at security conferences see nowadays in in the in the sense of vulnerabilities that were recently patched right we're not going to be disclosing

important abilities that are unpatched uh we we go by responsible disclosure with working with the with the vendors but um they typically present about vulnerabilities that were patched by the vendor and that are typically very critical in this case we're talking about critical priorities but some of these are somehow aged but still being leveraged by threat actors and still effective uh in in targeting sap applications not talking about everything in any cloud infrastructure is it like sap is cloud infrastructure not uh specific evidence about um threat actors targeting a specific organization i'm gonna get into details of how we capture that data so in terms of the the agenda uh this is a little bit of the

structure um i started with the introduction i'm going into the context then straight into the actual fact the facts and the hard numbers and then we're gonna see some some demos as well why did we generate this this content and this threat intelligence and this information that we are sharing with organizations well we have been uh taking part of some of the largest incident response projects that organizations have been going through um typically when there is an erp application involved our team is boots on the ground working with that company helping some of the leading ir firms as well working side by side um but that information as you can imagine is strictly confidential right we are

talking about some of the most confidential information that that we manage um but we know that these type of attacks are happening and we know that threat actors are targeting these applications so how can we really communicate this type of information how can we help organizations understand if those three doctors are sophisticated who is behind these these attacks what are their intentions what are the ttps but more importantly how can we stop them right how can we build capabilities to stop uh threat actors from compromising our sap applications in the first place and every time we have been participating of this insulin responses and working with sap organizations there's been in the majority of the cases one out of

these three business outcomes threat actors are going to are targeting sap applications to perform financial fraud or they are targeting sap applications to exfiltrate sap information uh think about formulas like think about the some of the most sensitive ip in in companies uh is typically stored also in sap applications uh or disruption of business processes that are supported by sap in this case if sap system is down well guess what it's also down every single business process that is being supported by that application so that was clear in terms of the what they were going after um but really what we want to shed some light on is on the on the technical side what's happening there

what's in between so let's get into the numbers um i like to to show numbers in uh because i think uh in every case numbers really show tell a story right uh they help understanding and visualize the what's happening out there so basically we build a threat intelligence network able to capture activity from threat actors targeting applications and what we were able to capture is evidence of attacks exploitation and activity of actors in sap environments erp environments of different technology different type of applications different modules but all in all over 400 confirmed exploitations in a period of i think it was approximately six months out of those 400 plus over 100 were actually connecting to the system so

we're talking about hands-on attackers connecting to the system accessing the information accessing the data modifying the systems interacting with the with the business data and really working towards that negative business outcome we track eight main thread vectors and by thread vectors we mean the initial compromise uh that is going through either a cve or a cwe affecting that sap application and last but not least really the source country um it's we saw that coming from 18 different countries now uh that's really no indication of any type of attribution it's just another data point um we saw campaigns that were coming from f more than five different countries from a number of different ip addresses uh completely different from the

exploitation to compromise to post exploitation so it's really a subjective measurement but it's another data point that is uh interesting to to provide as well because it it talks about the variability of the different sources and i think where it gets really interesting is uh when we talk about the the time windows these two data points are coming from uh the data set that we captured of threat actors targeting sap applications now um there of course we capture a lot of data right you can imagine that we started analyzing uh a very large volume of volumes of data but what we extracted here are the worst cases um in the in the worst case from patch being released to

exploitation it was as bad as 72 hours um that means that from the moment that sap released the patch to a critical vulnerability to the moment that that critical vulnerability started being exploited was less than 72 hours now if you are an anti-security practitioner you might tell me hey but that's that's really nothing new right that's common it's uh no common operations for any vulnerability and i would tell you yes it is um but it is for pretty much everything else but sap or erp applications erp applications have been really in this uh bubble where the time windows have been really significantly long and we are not talking about hours we're talking about years sorry organizations have been deploying

patches with years of delays in some cases so thinking about that putting that in perspective it really makes you understand okay this is the these applications these business creative applications are becoming more and more similar to what uh another asset in the ite security in the iit landscape would look like so it's becoming more and more similar to a windows a citrix server or any other application also another data point it was as bad as three hours from the system a new ip being exposed to an untrusted network all the way till that ip became compromised um of course i think the the mean was approximately six days and the maximum was three weeks i think

so we had a lot of data points there um but it wasn't as bad as three hours um so this is important to understand uh how do we protect this right um and we need to be protecting these as hard as we protect everything else in our company because threat actors are not now they are not treating this differently than than any other asset now i would like to go through three different examples um i mentioned we identified eight uh different thread vectors as a initial compromise well i'm gonna go through the three that i think are more rep most representative of what threat actors are doing the first one is cb 2020 6287 this one of it is a cbss 10

that was patched by sap during 2020 and soon after the patch was released we started seeing active exploitation of this vulnerability and that keeps going and it's really being used to compromise sap applications it is a different variety affected java systems so anything on top of network java anything on top of sap enterprise portal is affected and you have there some numbers in terms of the source of exploitation and the distribution in time um a lot of activity in terms of exploitation network activity and different data points but all in all this was supportability that was patched by ecp and very very soon after started being exploited by threat actors and being used to compromise systems because this

vulnerability allows for an automatic creation of a user on the application level an admin user the second one is i think even more interesting because of the timeline this is a vulnerability that was patched by sap in 2020 i didn't mention uh on the previous thread on the third number one that gravity was reported by onassis research labs to sap this one was reported by the unassisted research labs as well another cbss10 sap released the patch and we haven't seen an exploit publicly available until earlier this year i think it was january or february this year the interesting part is that uh when we started looking at the historical data well guess what there's been active

exploitation of the vulnerability during october and november 2020 so that means that someone or or different actors had the knowledge of how to exploit this vulnerability before there was even a publicly available exploit um and that tells you a lot about the the capabilities that these threat actors are building on top of right um but definitely an interesting um angle these correlated very well with some of the asian responses that that we have been uh working with some organizations in terms of the the activities the the express being used and how the organizations eventually became affected by this the third threat uh is really nothing super advanced nothing fancy or complex we are talking about

the good old uh default and critical users with default passwords and critical authorizations um threat actors know about these these users and they actively try to use them to log into sap applications so there is also automation around being able to connect to the systems using default passwords and and critical users even if they don't have the the default passwords um so it's not just about cves what what this also summarizes is really threat actors are using everything and anything they have in order to compromise sap applications and be able to ultimately access the business data so when we put all of that together um into what what is the life cycle of attacks how does it look like

well um it looks uh interesting from a from a faces perspective it's uh it starts with a continuous automated scanning so threat actors are building and building on top of their existing infrastructures to perform automated scanning also searching for sap specific vulnerabilities um this is to re to do reconnaissance and identify what are the assets and what are the vulnerabilities that can be leveraged to compromise those systems um then we are also looking at automated exploitation um there is also manual exploitation as well but we are looking at um capabilities that are being automated to be able to compromise systems and connect to them and finally handsome keyboard manual login after the exploitation connecting to a system

accessing data navigating through different sections um downloading data and moving laterally as well as i mentioned all of these eventually becomes part of one of these three uh negative business outcomes so what what i'm going to be focusing now and i want to share as part of this session is really the this phase the handsome keyboard login phase and for that i'm gonna switch over to to a demo i'm gonna try to do that as quick as

possible all right so this is the demo um that we put together what is this demo about well this demo is about a com compiling of all the different sessions that we were able to capture of threat actors targeting sap applications and what do i mean by sessions well we instrumented our thread intelligence network in order to be able to actually see what these threat actors are doing so for example i'm i'm gonna start with one session that came from russia for example this is going through the application you can see they are the error right that's a human actually copying and pasting logging into the system going through different sessions this is an sap system by the way or at

least one of the modules or the components of this uh going to the versions um i'm looking for a very very specific versions of of one of those components this one coming from the us apparently but when we look at the the locale well it's not english right it's it's someone most likely going from an usip but uh using a different language now going to different sections configurations how the system is set up ssl uh security relevant settings uh user management settings um authorizations different sections in terms of uh the how the system is configured set up and maintained this one coming from sweden interesting uh you know interestingly enough combining more than one vulnerability cb2026287

with cb 2018 2380 uh to be able to achieve os level access as well um and this other one coming from yemen um logging into the sap enterprise portal um and navigating through different sections like hr business data um and and different sections that uh we also extracted from the from the video this other one uh was coming from multiple ip addresses uh going through pretty much every section of of the business data sales documents financial data hr related data downloading employee information um so this was actually the screen of the attacker right that's what you are looking at right now um this other one coming from china also is you can see the locale there um log into

the system and trying to shut down the system as well um this is what we are looking at uh in terms of username and password being able to log into a system uh perform a system shutdown um and and perform different type of activities this one was all over as well from a technical perspective um so going to go back to the to the demo to the slides and summarize what we saw so what we saw is really all about this post exploitation phase right users connecting to the system and we compile actually um a lot of different like hours of sessions and actions into an impactful uh two or three minutes video so so we make it fit as part of

this presentation um but it's really uh highlighting the different type of actors that are connecting and exploiting systems accessing data and and navigating through the different applications these threat actors understand the technology understand the the business processes and know what are the weaknesses that can be abused and exploited in these systems so this is the the video that we saw um just to provide some takeaways and implications um and i'm gonna focus on four of these uh there are a lot of different insights that we can extract from actually watching threat actors compromising these applications uh there are a lot of insights that we can extract from understanding what they are after how they are

attacking the system what are the the ttps and i'm gonna get into details uh about that in a minute in a minute uh but really these threat actors are actively targeting unsecured sap applications threat actors know and understand how to do that right that was another misconception that we used to hear yes but uh this is the third actors don't don't know about sap they don't know how to connect they don't know what are the weaknesses they don't understand these applications well they do right uh they have they do to a point that they have automated a lot of these phases for reconnaissance for exploitation and they manually go on and connect to those systems and extract data

um this correlates very well with the similar ttps and techniques that are being used by threat actors in systems that are also internal right on systems that are in in an internal network the time windows that we saw in terms of um time to exploit um from exposure to exploitation and from patch to active exploitation is really shrinking we are talking about less than 72 hours for for patch to exploit and less than two hours less than three hours sorry uh for from exposure to compromise um so that gives little room to for defenders to to react to that um for me what's important here is that we need to treat these applications uh the same way we treat every other

application the same way we we treat windows systems windows servers linux servers our databases all our it landscape because actors are attacking these applications in the same way right with the same pace and and and similar techniques um it's not just about the cves it's also about c configurations misconfigurations vulnerabilities so in in reality it's everything and anything that can be used to address um target an sap application is going to be used and these toolkits are being built on top of the the known vulnerabilities but also the vulnerabilities that are not yet publicly available for which they are not publicly available experts yet are still also being used um so we can talk about a abnormality that is 10 years old

as well as a subunity that is a few days old and finally because of the nature of these systems because of the nature of these applications um we are not just talking about a cyber risk it's not just a potentially a vulnerability or a risk related to a breach an incident a day basis we're talking about significant compliance risks here because of the data that is being processed by these applications well most of these applications are subject to gdpr soaks heap on our pci you name it right depending on the location depending on the type of data depending on the industry uh you might be subject to deep a number of different regulations that would

force you to apply the right controls there so i think it's important to understand that we're not just talking about a vulnerability and a cyber risk in the report that we released together with sap we provided all the data points in terms of the timelines and the the observed ttps and the exploits and vulnerabilities so please go ahead and download the report it's going gonna be linked to this presentation as well um and really this is what was highlighted by the dhs um everything is really actionable in terms of time frames cvs and all the information that you need to to react i wanted to close out uh with some some of the things that i have on

the appendix which is these are the vulnerabilities to to watch for right these are the movies that we saw being exploited and automatically being used uh in a number of different scenarios um we're talking about cwe and cves um so this is also on the report take a look at that you have some security nodes related to it um we also saw different ttps and different indicators iocs that can be used to identify who is actually exploiting these gravities this is a summary it's on the report as well so you can go if you have proper logging and you have proper information you can go and analyze your systems as well and finally we also included the the ip

addresses that are from which we saw uh the parts of these activities at least the most active ones going and exploiting and connecting to the systems so with that um i'm gonna close this part of the session and open for for any questions thank you very much that was a fantastic talk uh jp thank you so much and uh we have some questions coming in uh on discord and to a couple other channels to me as well and uh the first question comes uh comes from nick and his question is i may have missed it but is there an easy way to get started with the sap volume research as an independent researcher or on a small scale uh sorry could you

repeat the question again i missed the first part uh sure and i'll also drop into our little chat here so you can see that as well uh but the basically the question was uh how can a individual a independent researcher or somebody who is just getting started uh at a small scale uh get started with sap or similar types of uh enterprise uh software yeah and how can they get involved with that space because it's obviously you can just download a copy and install it on a vm somewhere where can you well that's a great question how much time do we have uh like we can we can talk for an hour on that uh no but jokes aside um

there are many different ways you can access that technology sap has been improving in terms of the openness to the research community is setting up also back bounty programs that researchers can can leverage as well especially for the cloud-based applications for the on-prem technology the the let's say traditional sap technology netweaver java business objects all that more traditional one there are ways to actually download um let's say software that you can install and start developing if you are a developer and want to learn how to develop on top of sap that's the way you start and you have many resources to learn um there's sap cloud platfor sap cloud platform sub cloud appliance library there are

concepts called mini subs i it might have changed in the during time this might be called differently but sap provides people that doesn't necessarily work in a large enterprise and have access to an sap system uh mechanisms to actually access that technology and start getting involved in the concepts and understanding how to develop what are the the different components and really learn about the the topic right then you can go into different directions and from that awesome thank you that that was that was very thorough um another question coming in is uh what would you like to see uh sap change about their you know the current way they do uh vulnerability remediation and how they interact with the security

community um another great question thank you appreciate that um the onapsis was founded in 2009 and even before that the the founders and we were really uh working closely with sap on on vulnerabilities research reporting we have reported hundreds of vulnerabilities and and that's really improved um since like uh 2005 2006 2007 all the way to current the current process it's been an evolution from sap um it's taking the the input that the research community provides more and more seriously and really uh making the products uh more um more secure every one version after the other so we we have seen that revolution and and really in that sense i have nothing but good words i mean it's it's been

a learning phase for for everyone right it's it's not just sap all the vendors have been improving over the years the way they they respond so uh we have a very good communication with sap and and really very clear touch points on on the reports that we make we have the ability to comment on the risk and and really provide our perspective back and forth so i think something that is super interesting that sap changed over the past i would say probably two years two to three years is that they they opened up to the research community more uh really embracing the concept of back bounty programs so that's really um that's a very good

thing right because uh it's it's going in line with uh with many other vendors as well fantastic thank you a question that came up for me when i was watching uh your talk myself was uh you had some great data um in the near beginning of your talk talking about sort of a tax you were seeing and one of the questions that came to mind and i have no idea like if this is even like a possible thing but were you able to determine how many like unique groups you know where attacker were attacking did they like were you identifying signatures from particular uh uh you know attack groups kind of like you see uh

uh you know some of the larger uh vulnerability uh research groups announcing you know apt whatever numbers popular one how do you really identify like unique groups who are attacking in that data yeah i love the questions tonight uh super interesting so as you know like attribution and really being able to group those attackers into single groups is the hardest part um it's it's still a work in progress we are working with different organizations to understand how to point those together we have been doing some preliminary analysis but really our strengths as a company is not so much on the on on that side is more on the really vulnerability research and the the acp technology itself we are working

with with partners to try to nail that as you know it's it's an ongoing process right this is this is the result of a six months uh um project that is still after that continue right and it's evolving um at some point we expect to have something like really grouping of different apts and and groups that are accessing that with different levels of sophistications but but it's still a work in progress very cool thank you um and uh another question from from discord is uh someone is asking uh how reliable have you found uh the output of salomon uh in terms of identifying current patch levels and which sap notes have been applied and whatnot um

and have you seen questions have you seen occasions where this data has been you know meaningfully wrong and if so how did that arise yeah unfortunately yes we have found cases and we have reported to sap cases where where solution manager was not identifying properly especially with critical vulnerabilities so i know sap is continuously improving that um but eventually um what without focusing on the how what companies need to be able is to identify at every given point in time really the the level of risk that those applications have right by by misconfigurations missing patches whatever integrations there are many different areas of risks solution manager will provide some perspective on that uh but uh but

yeah in order to get really a full picture uh you need a proper solution that's my my perception on that um and we have found some cases where already someone wasn't providing the right visibility and and in some cases even like it's a false sense of security because you think that you have uh that you are not vulnerable to something that you may be um and so that's why it's important to really keep up with uh with what sap is updating and providing as well so do you have some recommendations about how to more reliably for uh you know for those of us on the on the defense side how can we more reliably determine what

you know basically what's the state of the system uh if if solomon is not uh it's not reliable yeah well it really depends on what you wanna find out is on one hand uh you may have um you may wanna see if that system is vulnerable to xyz like cb cw is a risk for for that is really um like that's at the core of what we do so um i would really encourage you to to talk to us and and we can we have different ways of helping um the other is really understanding if someone actively exploited the vulnerability in your system for that it's also at the core of what we do but we do provide

iocs in github and and really with every critical campaign with every critical point of view that we identify and report to sap we come out with also open source iocs for identifying if someone was compromised very cool that's really nice um we have time to have one or two more questions in how long they take um so the next one that came across was uh you mentioned that you know that people are you know attacking in as early as you know anywhere from three to 72 hours they're going after vulnerabilities that have been patched uh postpatch released obviously most organizations are not that agile to address vulnerabilities in any systems that quickly do you have any recommendations on

either ways they could speed that up or alternative uh mechanisms they could use to protect themselves till they can get the patches deployed especially given how critical to an organization sap can be definitely yeah so it's sap especially business applications uh the complexity and the criticality of these applications makes it in some cases really really complex to react on time um so for me it's not so much about the the technology that you have is really about is this a priority to to the organization right do you have the right process do you have the right visibility because then you can start implementing a on one hand a patching process that incorporates scenarios where you need to react fast um and you have

the process for that and and on the other hand is really the visibility right is how do you know exactly what are the risks on your systems at any given point in time so technology aside you can solve that in through different ways but really it's all about is this a priority for the company the the most important thing is really making it a priority and making sure that the the organization has the right processes to react is is uh there's a new uh serial date coming through there is a new patch critical patch cbs10 okay uh how do we deploy this uh with the with the right time because it's not for every single patch right it's only for

those ones that are really critical that are gonna be exploited uh very soon in that 72 hours uh windows fantastic great um so i'm actually going to uh we're going to finish things up now uh that was a great final question uh jp thank you so much for your time and for your presentation a great questions great answers and it seems like the audience really thoroughly enjoyed themselves and i really appreciate you uh staying up late on uh on the weekend to help do the q a portion thank you so much absolutely thanks everyone i hope you enjoyed it and enjoyed the rest of the conference thank you