Information Technology

Google announced the acquisition of Siemplify, a security orchestration, automation, and response (SOAR) tool, this past Monday. Google Cloud’s acquisition of a SOAR tool in and of itself is not surprising — this has been a missing piece for its Chronicle offering that other security analytics platforms have built-in for the past several years. 

What is interesting, however, is the timing of this acquisition, which comes years after the spate of SOAR acquisitions from 2018-2019. Siemplify was one of the few remaining holdouts as a standalone SOAR, as most other independent SOAR vendors were acquired or diversified their portfolio with other products such as threat intelligence platforms (TIPs). In some ways, that makes this a heady acquisition, as it signals the true end of the standalone SOAR. Forrester predicted early on that the SOAR market could not stand on its own, and given that that was five years ago, it’s starting to feel like we are belaboring the point. The bottom line is this: The SIEM has irrevocably been altered to the more holistic security analytics platform, incorporating SIEM, SOAR, and SUBA in a single offering. Just offering a piece of the puzzle — a SOAR, a SIEM, or SUBA — is not enough. Security teams want a unified security analytics platform that they can use through the entire incident response lifecycle, from detection to investigation to the orchestration of response… and beyond?SOAR is part of a larger set of SecOps capabilities Security teams now have one less standalone SOAR offering to choose from. This is detrimental in some ways since some practitioners prefer to use a separate, independent SOAR offering. They find the depth of available integrations to be more powerful and prefer a tool and the vendor behind it to be entirely focused on improving automation in the SOC. While standalone SOAR is becoming a rarity, SOAR still exists in many forms. There are benefits to having a security analytics platform that tightly integrates SIEM and SOAR. A combined tool can help you implement more seamless automation and streamline the entirety of the incident response lifecycle in one place. It also gives you one less vendor to manage, and data from the latest Forrester Analytics Business Technographics® Security Survey shows that security pros are looking to consolidate security tooling. 

Buying SOAR as a standalone versus as part of a broader platform is the classic best-of-breed versus best-of-suite debate. The tricky part, though, is that SOAR is the supporting act, not the headliner. This means things get a little more complicated — as you will find in the flavors of SOAR below.Flavors of SOAR
Forrester
Consider the different flavors of SOAR and the risks of each:  Integrated security analytics platforms can provide tight integration and a simpler user experience. The main challenge with these vendors is ensuring that they stay cutting-edge — big suites of products tend to lead to complacency on innovation and bloat. Security analytics portfolios try to balance the best of what standalone SOAR offers while providing that integration (but this makes them more likely to fail at both as a jack of all trades). If these vendors struggle with one element of their SOAR offering, it’s more likely to be the integrations with other vendors than their own tools. SOAR + TIP + etc. vendors, or those with other additional areas of focus, bank on the fusion between SOAR and their other adjacent offerings. This can be unique and provides them a way of staying independent while still gaining ground in different markets. Combining SOAR and TIP capabilities also helps to operationalize threat intelligence in the SOC. Standalone SOAR can have a great depth of integrations because of its independence and its singular focus on building better automation for the SOC. Even if you choose a standalone SOAR, however, it may not be standalone for much longer. This post was written by Analyst Allie Mellen and it originally appeared here.  More

A new technique that fakes iPhone shutdowns to perform surveillance has been published by researchers. 

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Dubbed “NoReboot,” ZecOps’ proof-of-concept (PoC) attack is described as a persistence method that can circumvent the normal practice of restarting a device to clear malicious activity from memory. Making its debut with an analysis and a public GitHub repository this week, ZecOps said that the NoReboot Trojan simulates a true shutdown while providing a cover for the malware to operate — which could include the covert hijacking of microphone and camera capabilities to spy on a handset owner.  “The user cannot feel a difference between a real shutdown and a “fake shutdown,” the researchers say. “There is no user interface or any button feedback until the user turns the phone back “on”.”The technique takes over the expected shutdown event by injecting code into three daemons: InCallService, SpringBoard, and backboardd.  When an iPhone is turned off, there are physical indicators that this has been completed successfully, such as a ring or sound, vibration, and the Apple logo appearing onscreen — but by disabling “physical feedback,” the malware could create the appearance of a shutdown while a live connection to an operator is maintained. 
ZecOps
“When you slide to power off, it is actually a system application /Applications/InCallService.app sending a shutdown signal to SpringBoard, which is a daemon that is responsible for the majority of the UI interaction,” the researchers explained. “We managed to hijack the signal by hooking the Objective-C method -[FBSSystemService shutdownWithOptions:]. Now instead of sending a shutdown signal to SpringBoard, it will notify both SpringBoard and backboardd to trigger the code we injected into them.”

The spinning wheel indicating a shutdown process can then be hijacked via backboardd and the SpringBoard function can both be forced to exit and blocked from restarting again. ZecOps said that by taking over SpringBoard, a target iPhone can “look and feel” like it is not turned on, which is the “perfect disguise for the purpose of mimicking a fake power off.” Users, however, still have the option of a forced restart. This is where tampering with backboardd further comes in — by monitoring user input, including how long buttons are held, a reboot can be simulated just before a true restart takes place, such as by displaying the Apple logo early.  “Stopping users from manually restarting an infected device by making them believe they have successfully done so is a notable malware persistence technique,” Malwarebytes commented. “On top of that, human deception is involved: Just when you thought it’s gone, it still pretty much there.” As the technique focuses on tricking users rather than vulnerabilities or bugs in the iOS platform, this is not something that can be fixed with a patch. ZecOps says that the NoReboot method impacts all versions of iOS and only hardware indicators could help in detecting this form of attack technique.  A video demonstration can be found below.

[embedded content]

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A Chinese national has pleaded guilty to the theft of agricultural secrets from the US, intended to reach the hands of scientists across the pond. 

Xiang Haitao, formerly living in Chesterfield, Missouri, assumed a post at Monsanto and its subsidiary, The Climate Corporation, between 2008 and 2017, the US Department of Justice (DoJ) said on Thursday. Monsanto and The Climate Corporation developed an online platform for farmers to manage field and yield information in a bid to improve land productivity. One aspect of this technology was an algorithm called the Nutrient Optimizer, which US prosecutors say was considered “a valuable trade secret and their intellectual property.” According to the DoJ, the former employee stole this information “for the purpose of benefitting a foreign government, namely the People’s Republic of China.” In June 2017, Xiang left these companies and boarded a flight back to China a day after. The 44-year-old drew the attention of airport officials who conducted a search – but it was not until later that investigators found copies of the Nutrient Optimizer stored on his electronic devices.  Xiang was still able to leave the United States and began working for the Chinese Academy of Science’s Institute of Soil Science.  However, during a return trip to the US, Xiang was arrested and charged. The Chinese national submitted to the charge of conspiracy to commit economic espionage and faces up to 15 years behind bars, a maximum of three years supervised release – and a fine of up to $5 million. 

Sentencing is due to take place on April 7.  “Mr. Xiang used his insider status at a major international company to steal valuable trade secrets for use in his native China,” commented US Attorney Sayler Fleming for the Eastern District of Missouri. “We cannot allow US citizens or foreign nationals to hand sensitive business information over to competitors in other countries, and we will continue our vigorous criminal enforcement of economic espionage and trade secret laws.” Monsanto, meanwhile, pleaded guilty in December to 30 ‘environmental crimes,’ including the illegal use of a banned pesticide in Hawaii. The plea agreement includes a fine of $12 million. Bayer closed the acquisition of Monsanto in 2018 and is now facing a potential class-action lawsuit from investors and a demand of $2.5 billion over claims of failed due diligence.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Online pharmacy company Ravkoo and Fertility Centers of Illinois (FCI) have both informed thousands of current and former patients of data breaches involving troves of their sensitive information. The HIPAA Journal said 79,943 current and former patients were sent breach notification letters informing them that passport numbers, Social Security numbers, financial account information, payment card information, treatment information, treating physicians, medical billing/claims information, prescription/medication information and Medicare/Medicaid identification information was leaked. The breach also involved significantly more patient information related to treatment and health insurance coverage as well as some employee information. FCI said it “became aware of suspicious activity on its internal systems” on February 1 and determined that patient information was involved by August. The company did not respond to requests for comment about the delay in informing victims but said in the notice that they are offering one year of free credit monitoring and identity theft protection services. FCI wasn’t the only healthcare institution dealing with a breach. Internet pharmacy service Ravkoo also notified customers of a data breach involving their information. In a letter sent to New Hampshire Attorney General Gordon McDonald, the Florida-based Ravkoo said hackers tried to infiltrate their AWS hosted cloud prescription portal on September 27. The incident exposed the prescription and healthcare information of 105,000 people, including nearly 400 in Maine. After hiring a cybersecurity firm, CEO Alpesh Patel said the company was told on October 27 that names, mail addresses, phone numbers, prescriptions and medical information were exposed. 

Breach notification letters were sent out January 3 and the FBI was notified, according to a notice on the Ravkoo website. Victims are being provided with one year of free online identity monitoring service from Kroll Information Assurance. In September, the hacker behind the attack on Ravkoo told The Intercept’s infosec director Micah Lee that Ravkoo was “hilariously easy” to hack and that they had access to hundreds of thousands of prescriptions filed with the company since 2020. According to what the hacker told The Intercept, Ravkoo’s site had “a hidden admin panel that every user can log in to and view all the data.”Multiple fertility clinics reported data breaches in 2021, including Quest-owned ReproSource and Georgia-based Reproductive Biology Associates as well as its affiliate My Egg Bank North America. Jake Williams, CTO at BreachQuest, explained that it is not uncommon for medical organizations to store patient data outside of their electronic health record system and said it sounds like that’s what happened in the FCI case. The theft of administrative accounts and other high privilege accounts give hackers access to widespread data and often act as a single point of failure, according to nVisium’s Ben Pick. More

Security researchers from JFrog said on Thursday that they discovered a critical JNDI-based vulnerability in the H2 database console exploiting a root cause similar to Log4Shell. The CVE hasn’t been posted by NIST but will be assigned CVE-2021-42392. In a blog post, the company said that CVE-2021-42392 should not be as widespread as Log4Shell even though it is a critical issue with a similar root cause. JFrog explained that the Java Naming and Directory Interface (JNDI) is an API that provides naming and directory functionality for Java applications. H2 is a widely-used open-source Java SQL database used for various projects ranging from web platforms like Spring Boot to IoT platforms like ThingWorks. The researchers noted that com.h2database:h2 package is “part of the top 50 most popular Maven packages, with almost 7,000 artifact dependencies.”Shachar Menashe, senior director of JFrog security research, told ZDNet that similar to the Log4Shell vulnerability uncovered in early December, attacker-controlled URLs that propagate into JNDI lookups can allow unauthenticated remote code execution, giving attackers sole control over the operation of another person or organization’s systems. The security company said CVE-2021-42392 for the H2 database console is the first critical issue published since Log4Shell, on a component other than Log4j, that exploits the same root cause of the Log4Shell vulnerability, namely JNDI remote class loading. 

more Log4j

“To the best of our knowledge, CVE-2021-42392 is the first JNDI-related unauthenticated RCE vulnerability to be published since Log4Shell, but we suspect it won’t be the last,” the researchers wrote. “One of our key takeaways from the Log4Shell vulnerability incident was that due to the widespread usage of JNDI, there are bound to be more packages that are affected by the same root cause as Log4Shell – accepting arbitrary JNDI lookup URLs. Thus, we’ve adjusted our automated vulnerability detection framework to take into consideration the javax.naming.Context.lookup function as a dangerous function (sink) and unleashed the framework onto the Maven repository to hopefully find issues similar to Log4Shell.”

The H2 database package was one of the first they validated and they reported it to H2 maintainers who immediately fixed it in a new release, creating a critical GitHub advisory.According to JFrog, several code paths in the H2 database framework pass unfiltered in attacker-controlled URLs to the javax.naming.Context.lookup function, which they said allows for remote codebase loading. Of all the attack vectors of the issue, the most severe is through the H2 console.”This feature can impact those running an H2 database console exposed to the network and we recommend updating your H2 database to version 2.0.206 immediately. Note that the H2 database is used by many 3rd-party frameworks, including Spring Boot, Play Framework and JHipster,” Menashe said. “While this vulnerability is not as widespread as Log4Shell, it can still have a dramatic impact on developers and production systems if not addressed accordingly.”The report notes that because the H2 database is used by so many artifacts, it is difficult for them to quantify how many vulnerable deployments of the H2 console exist in the wild. JFrog also explained several other attack vectors using the same vulnerability. JFrog suggested users upgrade their H2 database to the latest version. They noted that they have seen a number of developer tools “relying on the H2 database and specifically exposing the H2 console.””If you are running an H2 console which is exposed to your LAN (or worse, WAN) this issue is extremely critical (unauthenticated remote code execution) and you should update your H2 database to version 2.0.206 immediately,” the company said. “Network administrators can scan their local subnets for open instances of the H2 console with nmap. Any returned servers are highly likely to be exploitable.”According to the researchers, version 2.0.206 is similar to Log4j 2.17.0 because it fixes the issue by limiting JNDI URLs to use the (local) java protocol only, which denies any remote LDAP/RMI queries.JFrog also provided several mitigation options for those who cannot upgrade H2. Matthew Warner, CTO at Blumira, told ZDNet that according to OSINT, there are likely under 100 impacted servers on the internet because the H2 Database Console must be purposefully exposed to the internet by changing the configuration to not only listen on localhost. “While this vulnerability also utilizes remote JNDI class loading, it requires access that is not available with the default configuration of the H2 Database,” Warner said. BreachQuest CTO Jake Williams said widespread exploitation is unlikely because this vulnerability is in an application as opposed to a library like log4j, meaning vulnerable systems should be much easier to discover and remediate. In a default configuration, the vulnerability can only be triggered from the same machine the database console is running on meaning exploitation is extremely conditional. “It’s unlikely that this will cause widespread damage, though vulnerability managers should be ready to patch other newly discovered JNDI vulnerabilities as they are disclosed,” Williams said. “It’s clear that this vulnerability won’t be the last one discovered that’s related to log4j.”Others, like NTT Application Security’s Ray Kelly, said that while exploitation was unlikely, using a mashup of SQL and JNDI to exploit an RCE vulnerability “is quite creative and excellent example on how a single issue can be abused multiple ways.”The research is also worthwhile because even though log4j had specific coding flaws resulting in Log4Shell, the broader idea of a lack of validation on JNDI lookups leading to vulnerabilities is a general attack pathway which is likely to exist elsewhere and, given the log4j vulnerabilities weren’t discovered sooner, likely hasn’t been the subject of directed scrutiny, according to Bugcrowd CTO Casey Ellis. “This is a classic example of ‘research clustering’ which is a phenomenon Bugcrowd has observed many times before and one we predicted after the initial publication of Log4Shell,” Ellis said. “Some research teams have opted to capitalize on a sense of panic to get their message out there, while the JFrog folks seem to have taken great care to get their message across, but not cause undue work for already overloaded security teams.” More

Research from cybersecurity company Avanan has shown that hackers are increasingly using Google Docs’ productivity features to slip malicious content past spam filters and security tools. 

Avanan’s Jeremy Fuchs said that in December, the company saw cyberattackers using the comment feature in Google Docs and Google Slides to leverage attacks against Outlook users.”In this attack, hackers are adding a comment to a Google Doc. The comment mentions the target with an @. By doing so, an email is automatically sent to that person’s inbox. In that email, which comes from Google, the full comment, including the bad links and text, is included. Further, the email address isn’t shown, just the attackers’ name, making this ripe for impersonators,” Fuchs wrote in a blog post. The technique has long been used by cybercriminals and Google even released fixes for the issue in 2020. But Avanan included images showing researchers testing the flaw with Google Docs and Google Slides using a malicious link that was added to a comment. “We primarily saw it target Outlook users, though not exclusively. It hit over 500 inboxes across 30 tenants, with hackers using over 100 different Gmail accounts,” Fuchs added, noting that the email feature in Google Docs makes it difficult for scanners to stop the attack because the email comes directly from Google. 
Avanan
Google is on most Allow Lists, Fuchs explained, and most users trust emails coming from Google. Anti-spam features are also helpless against the attack because the email doesn’t use the hacker’s email address, only their display name. No one would know whether the comment came from someone within their company or from somewhere else. “Further, the email contains the full comment, along with links and text. The victim never has to go to the document, as the payload is in the email itself. Finally, the attacker doesn’t even have to share the document — just mentioning the person in the comment is enough,” Fuchs said. 

The company noted that last year, they reported another Google Docs exploit that also allowed hackers to easily deliver malicious phishing websites to end-users.Avanan suggested users check multiple times before clicking on any links in a Google Doc comment sent to you. A number of cybersecurity experts reiterated that this kind of attack has been used for many years by cyberattackers because of how successful it is. Shawn Smith, director of infrastructure at nVisium, noted that the attack is not significantly different from many other methods of phishing. “Users should always be wary of links in emails — even emails from legitimate senders — due to the possibility of an account becoming compromised. It seems to me that this could be categorized less as an ‘exploit’ per se, and more so a case of a lack of spam prevention,” Smith said. “In addition to checking links, users should also be hovering over links before clicking to confirm that the embedded hyperlink is sending them where they expect — and not to a completely different site than the link indicates.” More

Two counties in New Mexico and Arkansas are dealing with ransomware attacks affecting government services, according to officials from both states. On Wednesday evening, New Mexico’s Bernalillo County — which covers the state’s most populous cities of Albuquerque, Los Ranchos and Tijeras — officially reported that it was hit with a ransomware attack that began between midnight and 5:30 a.m. on January 5.

County officials have taken the affected systems offline and cut network connections but most county building are now closed to the public. Emergency services are still available and 911 is still operating, but a Sheriff’s Office customer service window was closed.Visitation at the Metropolitan Detention Center has been postponed indefinitely, but all community centers are still open. Many other government services are still available over the phone and in person. The county said it is working with its vendors to respond to the incident. Bernalillo County spokesman Tom Thorpe told KOB4 that he was unaware of a specific ransom demand issued by the attackers. Bernalillo County communications director Tia Bland said in a statement to KOAT, “Accounting and technology staff are doing a thorough assessment to figure out what the impact is.”Arkansas’ Crawford County is also dealing with a ransomware attack that began right before the new year.

Crawford County Judge Dennis Gilstrap told Arkansas’ news outlets last week that a ransomware attack was discovered at the County Assessors office on December 27, forcing them to shut down the office’s servers. Gilstrap said IT workers with the county contacted their cybersecurity provider, Apprentice, for guidance on how to deal with the attack. “Basically we had to shut down everything from the servers on, but we got it stopped,” Gilstrap told TalkBusiness. “Last I heard, the (County Clerk’s office) could not issue marriage licenses. I guess it was good that it happened during a slow period (between Christmas and New Year), if there can be anything good said about it.”Crawford County public defender Ryan Norris added in an interview with the outlet that the clerk’s office was not able to pull up jury lists, calling it a “mess.” By Tuesday, Gilstrap said operations were back to normal at both the assessor office and tax collector office. But he told both TalkBusiness and 5News that it will take weeks before they know whether personal information was accessed by the attackers. Also: Government data breach in Rhode Island leads to AG investigationRansomware expert Brett Callow told ZDNet that while fewer local governments fell victim to ransomware attacks in 2021 than in either of the previous two years — 77 versus 113 in both 2020 and 2019 — that can hardly be seen as a win.”The fact that a local government was hit so early into the New Year isn’t at all surprising, given that they fall victim to ransomware attacks at a rate of about 1.5/week,” Callow said.  “One is one too many, and 77 is far too many. This is especially true as far more incidents now involve data exfiltration, making it more likely that a ransomware attack on a local government will result in sensitive information leaking online.”Shared Assessments’s Nasser Fattah said attacks will continue to occur due to the lack of resources and the use of stale technologies, which “collectively make municipalities an attractive target.” YouAttest CEO Garret Grajek noted that recent research from the Palo Alto Networks Cortex Xpanse team showed that hackers are scanning within 15 minutes of a known vulnerability, while most companies are not patching and updating for 12 hours.”No company, county or organization is too obscure or too off-the-beaten path for the attackers,” Grajek said. “To the hackers, the sites are simply targets of opportunity.”   More

Blockchain data platform Chainalysis has released a new report on cryptocurrency crime trends, finding that $14 billion in cryptocurrency was sent to illicit addresses in 2021, nearly double the figure seen in 2020. 

Chainalysis data shows that about $2.2 billion was outright stolen from DeFi protocols in 2021. As of 2022, Chainalysis estimated that illicit addresses currently hold at least $10 billion worth of cryptocurrency, with most held by wallets implicated in cryptocurrency theft, darknet markets and scams.Digging deeper into the figures, Chainalysis researchers found that cybercriminals brought in 82% more in revenue from scamming last year, raking in $7.8 billion in cryptocurrency from victims. Within that $7.8 billion, Chainalysis discovered $2.8 billion that came from a scam they call “rug pulls.” In these scams, developers create seemingly legitimate cryptocurrency projects before stealing investor money and disappearing. The $2.8 billion doesn’t even take into account the user losses associated with the plummeting value of fake DeFi tokens and only counts the investor funding that was taken. Almost all of the $2.8 billion stolen in 2021 came from Thodex, a fraudulent centralized exchange that tanked when the CEO stopped users from withdrawing funds and disappeared. Chainalysis tracked several other DeFi projects that ended up being rug pulls. “We believe rug pulls are common in DeFi for two related reasons. One is the hype around the space. DeFi transaction volume grew 912% in 2021, and the incredible returns on decentralized tokens like Shiba Inu have many excited to speculate on DeFi tokens,” Chainalysis said. “At the same time, it’s very easy for those with the right technical skills to create new DeFi tokens and get them listed on exchanges, even without a code audit. Many investors could likely have avoided losing funds to rug pulls if they’d stuck to DeFi projects that have undergone a code audit – or if DEXes required code audits before listing tokens.”  Another big chunk of illicit cryptocurrency activity came from outright theft, which grew 516% in 2021 compared to the previous year. 

Chainalysis found that about $2.2 billion of the $3.2 billion worth of cryptocurrency stolen in 2021 came from DeFi protocols. The startling numbers far exceed the figures seen in 2020, when about $162 million in cryptocurrency was taken from DeFi platforms. That represents a 1,330% year over year increase for 2021. Chainalysis said many of the headline-grabbing attacks on DeFi exchanges over the last year “can be traced back to errors in the smart contract code governing those protocols, which hackers exploit to steal funds.” “We’ve also seen significant growth in the usage of DeFi protocols for laundering illicit funds, a practice we saw scattered examples of in 2020 and that became more prevalent in 2021. DeFi protocols saw the most growth by far in usage for money laundering at 1,964%,” Chainalysis explained. “In the longer term, the industry may also need to take more drastic steps to prevent tokens associated with potentially fraudulent or unsafe projects from being listed on major exchanges.”The attack on DeFi protocol Grim Finance at the end of December capped a whirlwind year for DeFi hacks. A week before the attack on Grim Finance, more than $77 million was stolen from AscendEX. Days before that, blockchain gaming company Vulcan Forged said around $140 million had been stolen from their users.Crypto trading platform BitMart suffered from a devastating attack that caused about $200 million in losses.In November, cybercriminals stole about $120 million from DeFi platform Badger. Other attacks in 2021 include thefts of more than $600 million from Poly in August and $34 million from Cream Finance in September. In May, about $200 million was stolen from the PancakeBunny platform. Other attacks have involved platforms like Liquid, EasyFi, bZx, and many others. Chainalysis noted that cryptocurrency transactions involving illicit addresses represented just 0.15% of all cryptocurrency transaction volume in 2021, but the company added that the $14 billion figure is likely to increase as they find more addresses tied to criminal activity. The 2020 figures grew from 0.34% to 0.62% of all cryptocurrency transactions after Chainalysis continued to dig. “Cryptocurrency usage is growing faster than ever before. Across all cryptocurrencies tracked by Chainalysis, total transaction volume grew to $15.8 trillion in 2021, up 567% from 2020’s totals. Given that roaring adoption, it’s no surprise that more cybercriminals are using cryptocurrency. But the fact that the increase was just 79% — nearly an order of magnitude lower than overall adoption — might be the biggest surprise of all,” the report said, explaining that “illicit activity’s share of cryptocurrency transaction volume has never been lower.”The report adds that law enforcement has been able to increase its foothold in the cryptocurrency world in recent months. Chainalysis, which works with a number of law enforcement and government agencies, noted that the IRS Criminal Investigations announced that it seized over $3.5 billion worth of cryptocurrency in 2021 — all from non-tax investigations. More