Matija Kos | Hackers Don’t Hack, They Log In: The Threat of Stolen Credentials

go s

just minutes no problem St it

okay so uh we are ready for presentation number two now we have MAA Co MAA works at creation Armed Forces so besides doing his uh trade intelligence and stuff like that he he can probably beat you up so be nice to him uh he will talk about hackers don't hack they log in the treat of the stolen credentials because why hack someone why fish someone why spare for Sumer if you just if you can just buy credentials steal credential or stuff like that so MAA the floor is yours okay thank you so hello everyone as M stated my name is MAA Coos and I'm here today to talk to you about a topic that is not as movie like as XZ

vulnerability or putting pineapples on the back of drones and stuff like that no I will talk about a topic that in my opinion brings the biggest return on investment for the attackers and is hilariously easy to do and that is the use of info steer data to gain initial access because as he said why would you hack if you can simply log in just to be clear I won't show you where to get this infos steer data but it rhymes with something like download Telegram and search for the word logs maybe with a Z on the end I'll just leave it at that so uh on that note let's start with some motivation uh this is a table that I've

pulled from any run and it shows the most widely spread malware in the last here as you can see in the top eight there are actually three Steelers and Luma Steeler taking place number one as the most widely spread malare in the last year on top of being the most widely spread according to this report from CA you can see that the use of valid accounts to gain initial access is the technique that has the highest success rate followed only by spear fishing links furthermore according to this report from Verizon for the last year you can see that the use of compromise credentials to exploit web application takes Center Stage here and if you take

anything away from this presentation I'd like it to be disposed from VX underground because it sums up everything that we will talk about here in kind of a funny way so I'll read it in full people are paying thousands of dollars for educational courses on initial access vectors we'll provide you a step-by-step guide on how to get initial access to companies with a budget of Zer all it requires is some time effort and the ability to grab so Step One is go to telegram step two is get free Steeler lcks step three look for PN credentials hope there is no MFA if there is MFA just Spam requests and you'll be surprised in how many times

that actually passes because people just get annoyed and click accept or continue if that fails go back to step one but if it succeeds log to VPN go to jir kmar or whatever they use scrape everything when people are sleeping log out and profit congratulations you're now the most dangerous hacker on the planet does this sound absurd of course it does does it work yes literally every single day info Stealers are a giant problem they don't need to Target Enterprise environments with top n security they only need to Target lazy home users with security settings probably disabled downloading junk binaries yeah fun right uh to give even more legitimacy to all of these claims these are some of the biggest

breaches that happened last year and they all stem from the use of compromise credentials gain via exploiting infos steer data so I hope we are all motivated now because in this presentation we'll take a look at three aspects the first one is the aspect of the attacker that actually infects the victim with INF post dealers the second one is another attacker that uses the data provided by the first attacker to then infiltrate the organization deploy ransomware exfiltrate the data or just extort the organization and the third one is actually this aspect of the Cyber Defenders who have to defend against both targets both threats so in the first part of the presentation we will put our hacker hats

on and we'll explore this infos steer ecosystem we'll see uh that it is as a service as everything is today there is a lot of vibrant ecosystem stuff we will explore that firstly then we will talk about some detection challenges and we'll look at detection from two aspects the first aspect is the one of us trying to detect the actual infection within fos malare and the second one is the US trying to detect that someone is actually using compromise credentials to gain access to our systems then we will transition into some defense strategies that we can hopefully use in order to prevent these kind of attacks then we will talk about what we can do and how

can we succeed even after we fail because inevitably we will fail and then we'll try to finish with some lighter note with some conclusion so let's start from the beginning how does one actually get infected with those info Stealers this is just one of the examples that I'll highlight here most of the time it starts with some social media site where some influencer will talk about for example cryptocurrencies what the attackers will do is they will either try to typo Squad that original influencer or they will simply simply respond to the post that the influencer makes so as I said if the influencer is talking about cryptocurrencies then the attackers will paste in some links for

cryptocurrency multipliers which will double your crypto make make you rich overnight if the victim clicks on one of those links they will probably be redirected to telegram where they will be presented with the fake capture or way in order in a way that they have to verify themselves in order to then download the executable file or or whatever they want to download uh they they have to open their window run dialog box they have to open the terminal or whatever they use paste something in blindly and press enter so these are those fake captas and I'll be the first one I really didn't to admit that I really didn't think that these will be as widely spread as they are

because I really didn't think that people will actually do this but as you will see later on they actually do and it's quite prevalent after the initial command is executed one of these two options uh can happen for example the first one on the left uh the second stage Powershell script is loaded and executed it's fires it fires a post request to attacker C2 infrastructure saying something like script executed successfully downloads in this case for example e. loader which then delivers the final payload which is then for example Luma stealer the other thing that they can use or leverage is this mshta.exe mshda is that Microsoft binary for executing HDA files or HTML applications and not to self make pictures bigger uh

it's just a blob so if you take out the script tags you would see and thecate a bit you would see it's just six line JavaScript code which loads a menthal loader in this case which then delivers again the final payload which is lumer so in both cases either it be from OT loader or AAL loader there end result is the same you are infected with infos stealer the malware will spread across your system it will try to exfiltrate the data out and send it to either the attacker C2 infrastructure or directly to their telegram via telegram API and those are we will explore those later it's called live live chats or live channels because from the moment of the

infection until the data is publicly available it takes only a couple of minutes so that's really scary stuff not to make it all about these social media platforms and not to speak badly of X or telegram uh there have been a lot of examples where some legitimate sites were compromised and the sites that are ranking highly on those Google ads so when you type something in those are probably the first sites that you would see a lot of them have this verification step when you land on the site you have to click that you're not a robot and in in order to verify that you're not a robot you are presented with these verification steps where you have to

press that Windows plus r key to open that Windows R dialogue box blindly press contrl V to paste something in and press enter But if you if you yeah I know but if you pause for a bit you would see something like this uh and will if you explore this verification step even further you would see that it actually adds an event listener to the click that you're not a robot and then it pastes this text into your into your clipboard it's it actually says powershell.exe followed by the flags EC and some base 64 encoded string if you decode this string you are presented with either of these two options it's either that msh HTA for executing HTA

files or it's something more simpler you use invoke web request to download the file and execute the content of that file with IEX again this the result is the same you are in infected with info Stealers they will try to masquerade themselves hide themselves or inject themselves into some legitimate Windows applications for example bit Locker to go uh furthermore to not make it again all about fake captas uh they are just a current hype uh the threat attackers will also use more traditional ways or traditional approaches in which to share these info Stealers so they will probably uh hijack some famous YouTuber account that is talking about video games and then they will talk about

uh click on this link to download some game cheats or game cheat engines and stuff like that uh and to highlight the fact that they also keep up with the current Hypes and the current hype train uh there have been a lot of examples where deep cki tools were impersonated by info Stealers on pii because they are specifically targeting developers because they know that the developers have access to highly sensitive stuff so uh if you are then someone and I'm not saying that you should do this if you are someone who wants to find this Steeler lock data uh you would go to for example Lumas Luma Steelers page you are presented with this because

nothing happens on clear web you have to click on one of these links and you will be redirected to telegram Channel automated telegram Channel where you are interacting with the bot and you will be presented with this slider first where you just slide through the pages and you can find some specific countries that you are interested in click on that and you can download uh Steeler lock data for high price of one uh these are fresh dat fresh stealer logs because they only upload the stuff that they gathered the day before so if you click on this top up your balance because you don't have $1 on your account you can click click click on

this top up your balance and you presented with this wall of text uh nothing special it's just a subscription plan because who doesn't love subscription these days right uh you have some experienced plan professional plan corporate plan and each plan gives a specific filters or customizations that you are able to do with uh with the data that you are provided if you want to go the further or more red headyy way uh you can join affiliate program because everything today is as a service and so are info Stealers uh you can jooy to be an affiliate you will pay some small subscription fee or monthly fee to the actual group that made the info steer

and you would get access to their dashboard on the dashboard you have the ability to customize uh the actual info stealer binary in order to closely resemble the things that you wanted to look for for example if I'm a guy that's interested in finding cryptocurrencies I'm not necessarily interested in cookies I will try to uh further adjust the actual infos steer code to closely resemble the things that I want to look for for example cryptocurrency wallets in this example and the fun fact fun thing here is that as an affiliate you are only obliged to pay to the actual info steer group everything that you collect is yours to do with whatever you want so you can

sell it resell it give it out for free or do whatever you want with it and most of Affiliates or affiliate gangs will try to promote themselves by giving away away a lot of data for free in order to try to convince people to come and join their subscription plan and not the actual Luma stealer for example some of the formats that they give out are this on the left is format called URL log pass we will talk about that later on this middle one is the actual raw stealer log data so it's actually the things that they extract from the from the system and we will see why they are the most scary one and the

most dangerous one and this is one of the formats that if they exfiltrate the data to their in C2 infrastructure they can parse the data out looking for specific services and they will dump the credentials of those specific Services into txt file and just give it away for free so for example they can look for FTP credentials C panel credentials or whatever else so firstly let's explore this raw steer log data the most dangerous one how it looks when you download that RAR file or zip file or whatever unzip it unar it or do whatever you want with it you are presented with this subfolder structure uh each subfolder here is actually one infected machine and most

of the time they're structured like this so you have a two-letter country code followed by some identification of the victim if you double click on one of these folders you are presented with this subfolder structure of all the data that info steer malware actually gathers from the victim or the infected machine so it ranges from autofills cookies Discord tokens file Grabbers because a lot of time file Grabbers are actually ingested into info steers and they will grab that the content of your downloads folder or your desktop folder they have also been cases where they will specifically look for your locally encrypted pass volts from example for from keypass and they will extract that file out encrypted volt and they will

look for keypass extension in your browser try to find the master password and exrate the master password also so in that case they will have both the encrypted Vault on their system and the masterword password master password and they are they Off to the Races uh the thing that I want to highlight here is this password clipboard to. dxt which is actually a familiar site it's actually that powershell.exe with the flags EC followed by some b64 encoded string these are those fake captures and all these subfolders in the data that I've collected have these as the last command uh which the attack which the victim ran before they were infected the thing to note here and the things that I like to

highlight here is these cookies folders it contains multiple txt files corresponding to the browsers that the victim has on their machines so for example if the victim has opera or they have Chrome or Brave it will create corresponding txt files and dump the cookies from that browser into the txt file most of the time the cookies will be in this Netscape format we'll talk about that later on another thing here is this passwords txt which is actually what most of the people think of when they are presented with the term info Stealers uh it contains nothing but the data that has URL usernames and passwords so not that they have to Brute Force the attacks so that not that that

they have to Brute Force the attacks and they know only the usernames and passwords they also know the actual URLs the credentials were used to and I'll restrain myself from commenting these strong passwords here so uh not that it would matter if they even had a stronger password but the password was was saved into their Chrome or uh Brave uh password manager in the browser it would be extracted out here in the plain plain text same as all these other passwords but it would be nicer to see that we are not still in this day and age suffering from the plague of basic or simple passwords uh not by the way none of these passwords work uh by it doesn't

matter how I know they don't work they don't work trust me so uh this another thing that I'd like to highlight here is this user information. dxt and we will see the content of that file later on and why it is super scary when used in the combination with the cookies so if the attacker parses this password txt files from all the other logs and extracts out only the usern URLs usernames and passwords and delimits them with colons they're presented with this url url log pass format or ulp format it looks nothing special it's just URL colon username email colon password spread across multiple millions of lines in a single txt file and they most of the time they

will give out this this for free uh what the another attacker can do then is they can see through or a rib grap through all these uh txt files rib grap is nothing just a faster implementation of grap searching for specific terms for example they can search for remote desktop credentials they can search for C panel or C panel ports they can search for jira for example and the thing here to note here is that even if let's say for example our administrator has an access to C panel they get infected with info stealer but in some miraculous way the credentials for the actual C panel have haven't leaked what the attacker can do is they can find the the username

or the actual email that our administrator uses rrab all the other txt files for that username see what other passwords the administrator uses and hope that they reused one of those passwords in order to log into C panel and in that way they can actually get get access to our systems another thing here is that Android devices or mobile devices are not exempt from all of these threats uh info Stealers work as well on uh Android devices where they will also extract uh the service the actual username and the plain text password if they further refine this txt file and extract only usernames and passwords dump that into a file uh those files can be used for some Brute Force attacks but

I just hope that in this day and age we are our defense systems are well suited to defend against Brute Force attacks so those are not as special for this presentation okay now we've seen that it is a vibrant ecosystem uh now we will talk about some detection challenges that we face when trying to firstly detect the actual use of malware on our systems and then we will transition into defense challenges that we face when we are trying to detect that someone is using compromise credentials to gain access uh some traditional approaches in which info Stealers work have a lot of bottlenecks and a lot of problems why because info steers are executed on a

victim's machine so they can be detected by AVS or edrs or whatever defense strategies that our organization uses there are also a lot of operational bottlenecks because they're trying to spread this malware as widely as they can and when they're trying to exfiltrate the data there will be a lot of inconsistencies either it be from the rate of the infection or the actual format in which the data was exfiltrated out also as I said earlier uh malare is executed on victim's machine and a lot in a lot of cases the actual CTI researchers or analysts will quickly create ioc's and alert AVS or edrs but as everything in cyber security is a cat and mouse game so are the GU guys that

are creating some more Innovations in this space some of the Innovations include this server side info Stealers I don't necessarily agree with the name but it is what it is how it works it's actually the victim gets infected with malare it doesn't exfiltrate the data out immediately instead it creates an onion service on that machine and posts only uh that onion address to the attacker C2 infrastructure what the attacker can then do is they can create costume scripts targeting specific things and then get the data out via gate request so your system in that case is acting like a passive file host uh in a lot of cases this data is too small for AVS they will not Trigger

or they will not detect this kind of traffic or why even go that further that far uh most of the time they will just give away this to onion service that they've created on a victim's machine for away in order to then the buyer of this onion to then create their specific script scripts and get the data out that they want to get out okay uh now we transition into detecting the actual use of compromise credential on our system and what are some challenges that we Face here so what the attackers can do and most of the time they only use this URL lock p formats uh they can go to the URL and just try retry R retry until they get in

our systems uh the thing that stops this immediately is tofa uh but the thing to note here again is if we are using email as tofa most of the time when you put in username and password it would say I we've sent a code to your email and then boom your email what the attackers can do is look for that email across credentials find out possible passwords log into that email if they succeed and then they have both the sides of the equation what the thing that you can do here is use some stronger means of MFA for example top top would stop most of these attacks but also what the attackers can do is they can leverage

these raw Steeler log data uh in a way that that's known as session hijacking and further enhanced with this usern information. txt for this use case let's say that the the attack the account that the attacker wants to get in has strong password so the password wasn't reused anywhere else uh it has it is long it has multiple Char characters it has lowercase uppercase uh it has symbols whatever and the victim is also using top so they've done everything that they can according to all the cyber security good practices and stuff like that what the attacker can do is they can leverage Roser loog data they can open up this user information that's txt file in it

in which they would find uh all the data about the systems so the stuff ranging from location to current uh language to screen size uh time zone operating system available keyboards Hardware or whatever on the system and they can use something known as anti- detect browsers uh it is a browser that allows the testers to pre-configure the browser in specific way in order to test the actual the actual service what the attacker will do is they will go on this site and this go login uh has it's a paid service but you have 7-Day free trial so go nuts uh it allows you to set up as I said preconfigured stuff for your browser so you can the attacker can set

uh specific proxies or VPN into the uh the country of the actual victim they can set up the time zone to match it because they know it from user information. txt they can set up CPU because they know it from Hardware they can set up Ram because they know it from Hardware they can set up user agents because they know it from this user agents folder they can set up screen resolution l language platform all this in order to closely resemble the actual victim that they are trying to mimic and the final thing that they will do is they would click on this cookies tab here and in that cookies tab they will put in the cookies from this folder uh

or the session cookies from this folder as I set the cookies in this folder I'll most of the time uh set in this Netscape format and one of the things here is this number field in that Netscape format which shows you when the uh cookie will expire in most cases today uh to increase user experience of our systems a lot of services will have long lived sessions for example Netflix or uh Facebook will have sessions that last for six months or even a year so you just go to facebook.com and you're simply logged in because you logged in six months ago uh what the attacker can do is they can search for the cookies that still haven't expired they

can they can pay paste those cookies so even drag and drop them or just paste them into that cookies tab click import and after they click import they only need to press this view button the browser will spawn with all those preconfiguration set so everything from a location uh time zone screen size whatever and the cookies will be also set in the browser the only thing that's left for them to do is then navigate to the site they want to go in and they will immediately have access without the need for or uh credentials without the need for top or whatever else so as the Defenders the challenges that we Face here is the thing that it can bypass MFA

the attacker doesn't even have to know the password and most of the time the actual attackers will uh want to buy just the cookies so they're not necessarily even interested in those URL log pass formats with actual credentials they are simply looking for cookies because they know in most cases these cookies will go through also another thing to mention here we can save our passwords and usernames in good password manager but our session cookies are saved to our browser so there is nothing to stop them from actually exfiltrating the data up so in today's info steer ecosystem you would see more cookies than the actual credentials being leaked and the final thing here also the

attackers will match uh the device the location the time zone of the user as closely as as they can so some of the best practices that you can use is you can use good session management uh practices uh I know this is a problematic in some situations because as we increase the security we decrease the usability of our systems so I know that it is not feasible for a lot of organizations to do this but it would be good if you could lower the session timeout so that almost every time they user goes to your system they have to reauthenticate you should invalidate some cookies after specific key action or you can require MFA authentification

prompt why because when the attacker gets access to our system they will try to uh reset the password of the user what you should do and the good practice here is to actually ask for MFA verification when trying to to reset the passwords uh the best thing that you can do as I said the first these session management best practices is go against those good uh user experience uh the best thing and the most non-invasive thing that you can do is you can employ some threat intelligence what you can do what it allows you to do is to proactively invalidate cookies that haven't yet expired to monitor for compromise credentials on your domain and to do password rotation quick note

here if you want to be n to compliant uh they say that verifiers should not require memorized secrets to be changed arbitrarily so periodically however verifiers shall force a change if there is an Evidence of compromise of the authenticator I don't know about you but this screams threat intelligence to me so if you want to be compliant with n to you have to have some kind of threat intelligence and not to stop with that words these are some of the examples that you can use and the local implementations of threat challenges that you can use if you don't have uh the funds to get some paid proprietary tools so what you can do is you can

create local scrapers uh to scrape specific telegram channels telegram is quite lenient with the use of BS uh it would be it will pass a long time before they ban you because of B use uh you can then create some uh python parer where you will have to create your own grammar your own tokens your own rules exfiltrate the data out as Json put it into P API which stores it into your postra database uh and make it available to either all users or specifically your CTI analyst which can get for example CSV on the end of the day about all the hits that the platform found uh the day before or the current day the big

problems here are that there are multiple platforms so you have to create specific scrapers for each of the platforms for example telegram some hacking forums onion sites and you will have to invest a lot of time to maintain those scrapers a even bigger problem is parsing out the data in a consistent way because as as we've seen a lot of um a lot of data is spread across different formats for example you can have that raw steer loog data where you have txt files you can have that URL log pass where you have just one large txt file with some colon The Limited values or you can have specific combinations of each so in url Lo pass format you can

only have one line where there is just a username and password for example so to create a parser that will exfiltrate the data out in a consistent way it's really really really hard so I wouldn't necessarily recommend this this approach what I would recommend though is to use something like elastic or the whole elk stack you can create your own tokenizer for example this is a token tokenizer that I use to tokenize the data from those URL log pass formats ingest all the data in and then simply curl the end point uh curl the end point for anything that you're interested in and you will get out the results in in seconds if you are then presented with a problem

of parsing across raw steer log data where you have those files you can also use elastic for this you can use something like ingest attachment plugin which allows you to uh ingest or index the content of the file and when you search for specific string it will look inside the file inside the content of the file and return to you the name of the file and the actual content of the file that it found the string in so for example if you have a specific cookie called I don't know ABC session cookie whatever you can look for specific cookie name in all your data that you have and if you find the cookie you check that number format number time

format you see if the cookie is valid if it is valid reset that cookie or that user and this is just some python script to uh ingest the data and you have to ingest it as Bas 64 if you again don't have um the devel developer hours or you don't have someone who is uh willing to do all of this you can always buy some proprietary tools yeah the problem is how to justify the the money spent uh some of them are flare Hudson Rock SRA or many others I'm not specifically highlighting any any here so what can we do and how can we succeed even after we fail because inevitably someone uh won't have MFA set

up someone will uh someone's child will download Roblox cracks on their machine that they also use to log into organization VPN and the data will leak out uh and the big problem there is also that how would you as a security team how would you enforce EDR on private uh PCS laptops or phones um and how even if the victim even if you know that someone from your organization is infected with info steer how would you enforce them to reset how reset their machine if that is a private machine so you can see where the lot of problems lie uh if we detect some use of uh compromise credentials uh we should prioritize the threat you can you need

to uh this to see if it's actually privileged account if it's service account that was being compromised or just a standard user account and act accordingly then you have to contain and neutralize the thre uh if you see that someone is in you have to do uh credentials and cookie reset you have to enable MFA if it wasn't enabled and do consistent account monitoring because a lot of times for example if malver is on my system and someone alerts me uh hey change your password I change my password but malver is still on my system it will Ex exfiltrate out the new password so you constantly have to monitor for this and the best thing that you can do and the

easiest thing that you can do block list access to uh telegram API if your organization doesn't have the need for it or even better don't even put it on a white list uh the last thing that you have to do is investigate the breach identify the source in order to see who else potentially had access to it because a lot of um info stealer groups will have dedicated ransomware groups that have the first dips on the data so if the infos steer uh group filtrates a lot of data they will first provide it to Rover groups they choose the things that they want to uh to specifically use and then uh the original infos group can either

sell it or just give it out for free uh that's why you have to do Source indentification you have to uh see what attack path they used in your organization to hopefully prevent another misuse of that uh attack vector and you have to do third party verification uh uh what I've meant here is you have to check your supply chain I won't even go into that bag of worms supply chain compromise compromisation are are a hard thing to deal with so and to conclude everything that we've talk talked about here the best thing that you can do is to prepare uh it is inevit it is inevitable that this kind of threat will happen it's just a

matter of moments until we get become interested interesting to someone uh the thing that you can do is you can use some kind of threat intelligence either it be local and proprietary another thing that I forgot to mention here you have to be careful uh about the legality of you as an organization collecting all those RW stealer log data you have to check with your legal team you have to uh check how you you should check your retention policies and all the legal stuff around it because inevitably you will collect a lot of data about users that are not NE necessarily part of your of your organization so just be careful about that another thing here uh if you want

to not have all of these problems you can just buy some tools because they will most of the time they will work faster and they will have you won't have this legal problem uh behind it the thing that you can do for free you know I mean just spend some development hours uh employ some good session management good practices as we've talked about those earlier when something bad happens you have to prioritize contain investigate disclose I know I'm preaching to the choir here everyone knows these steps uh if you want to mess with those attackers though uh feel free and I encourage all of you to add colons commas for spaces or pipes into your

password why because when the attackers are trying to create those URL or log pass formats most of the time they will drop additional columns in the line so if the line has only two columns and it has to have those two colons in order to be parsable if there is another colon in your password field they will just drop that colon and they will have wrong password and trust me I've spent many many nights trying to figure out why my P parser is still breaking yeah so uh that's it for me uh we have some time left are there any

questions okay at some point you said that um the attacker compromise a machine and transform um the target to the onion end point if I understood correctly okay uh but usually these clients are behind not or they have private P so they have to expose the machine first right yes uh depends on your system or the level of organization that you have so for example if I have a lot of users or I allow my administrator to VPN into my organizations from their personal PC which they have at home so in that case that machine can be infected Ed because maybe they are sharing that machine with their child as I said which downloads which then

downloads something onto that machine and then that machine will be compromised or for example if you allow the intake of uh Android devices into your organizations that is also potentially problematic because you can have a malare that is sitting dormant on your system on your Android system and when you go into your organization you connect to the Wi-Fi and then the data will be xrated up so there are a lot of ways that they can circumvent this this protections okay thank you uh any more questions so I have one last question what would you as a season data scraper recommend as a subscription plan oh no no no I want to recommend anything you should not uh do anything

here everything everything here was educational purposes only uh if you can invest in some threat intelligence and use that threat intelligence platforms for good good so don't use um those threat intelligence platforms can also be used from the attackers in order to look for specific credentials other that they that they are potentially wanting to exploit so be careful there have a good um policies in your or organizations when you allow your analysts access to those threat intelligence platforms and don't do bad stuff don't be evil as Google said right yeah that that's political answer yeah sure

okay I don't know if I'm I don't know if I'm allowed to promote anything here but I would say that in my experience flare uh is definitely one of the best if not the best Hudson rock is good because it's made by Israelis so they have a lot of let's say penetration into into this system but in my experience flare is flare is I would recommend if I was to recommend something to you I would say flare maybe so you do not ask them how they collect data you just get the data you just get the data out yeah and they have a lot of setups so you can set up your uh for example in flare you can set

up uh specific keywords to Monitor and when your if let's say if you always uh name cookies specific way uh you would add both the name of the cookie and your domain into their keyword search uh and every five minutes when the new data is ingested you would get a notification if there was something compromised so in that case from the moment uh that the credentials or cookies are exposed you would get notification and you can act in minutes in order to then reset the credentials or reset uh the cookies okay if there is no more questions thank you MAA and if you maybe uh maybe want to ask him something you can guess him on the on the pause and if

you want MAA to sell you some credentials that's about him so thank you Mata thank you