Information Technology

Two-thirds of cloud security incidents could have been avoided if the configuration of apps, databases, and security policies were correct, new research suggests.

On Wednesday, IBM Security X-Force published its latest Cloud Security Threat Landscape report, spanning Q2 2020 through Q2 2021.  According to the research, two out of three breached cloud environments observed by the tech giant “would likely have been prevented by more robust hardening of systems, such as properly implementing security policies and patching systems.” While sampling scanned cloud environments, in every case of a penetration test performed by X-Force Red, the team also found issues with either credentials or policies.  “These two elements trickled down to the most frequently observed initial infection vectors for organizations: improperly configured assets, password spraying, and pivoting from on-premises infrastructure,” IBM says. “In addition, API configuration and security issues, remote exploitation and accessing confidential data were common ways for threat actors to take advantage of lax security in cloud environments.” The researchers believe that over half of recent breaches also come down to shadow IT, which may include apps and services that are not managed or monitored by central IT teams. Misconfiguration, API errors or exposure, and oversight in securing cloud environments have also led to the creation of a thriving underground market for public cloud initial access. According to IBM, in 71% of ads listed — out of close to 30,000 — Remote Desktop Protocol (RDP) access is on offer for criminal purposes. 

In some cases, cloud environment access is being sold for as little as a few dollars, although depending on the perceived value of the target — such as for information theft or potential ransomware payments — access can fetch thousands of dollars.IBM’s report also states there has been an increase in vulnerabilities impacting cloud applications, with close to half of over 2,500 reported bugs being disclosed in the past 18 months. 
IBM
Once an attacker has obtained access to a cloud environment, cryptocurrency miners and ransomware variants were dropped in close to half of the cases noted in the report. There is also evolution in the payloads being dropped, with old malware strains focused on compromising Docker containers, whereas new code is often being written in cross-platform languages including Golang. “Many businesses don’t have the same level of confidence and expertise when configuring security controls in cloud computing environments compared to on-premise, which leads to a fragmented and more complex security environment that is tough to manage,” IBM says. “Organizations need to manage their distributed infrastructure as one single environment to eliminate complexity and achieve better network visibility from cloud to edge and back.”In other cloud security news, Apple paid a bug bounty hunter $28,000 after he accidentally wiped out Shortcuts functionality for users while testing the firm’s apps and CloudKit. The issue was caused by a misconfiguration on the iPad and iPhone maker’s part and allowed the researcher to — albeit unintentionally — delete default zones in the Shortcuts service. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

KrebsOnSecurity is often the target of disgruntled cybercriminals and has now been targeted by a large and powerful botnet. 

The website, operated by security expert Brian Krebs, was subject to an assault by the “Meris” botnet on Thursday evening.  Meris is a new botnet on the scene which is powered by Internet of Things (IoT) devices. IoT products, PCs, home gadgets — including cameras, VCRs, TVs, and routers — that are hijacked become slave nodes in a botnet’s network and are then can be used to conduct distributed denial-of-service (DDoS) attacks, among other functions.  In this case, Meris is composed of a huge number of MikroTik routers. According to Qrator Labs and Yandex, Meris first appeared in late June and is still growing.  Meris may bring Mirai to mind, a botnet famous for taking down large swathes of the internet in 2016, but the team says this may not be the right comparison to make at this time. “Some people and organizations already called the botnet “a return of Mirai,” which we do not think to be accurate,” Qrator Labs says. “Mirai possessed a higher number of compromised devices united under C2C, and it attacked mainly with volumetric traffic.” Mirai’s source code was later leaked, causing many variants to appear that are still in operation.

Krebs says that the DDoS attack, albeit “mercifully brief,” was larger than the one launched against KrebsOnSecurity in 2016 by a Mirai operator. The attack was large enough that Akamai, which had fended off past attacks against Krebs pro-bono, had to unmoor the domain in light of the potential ramifications for other clients.  The security expert says the volume of junk traffic launched by the botnet was more “than four times” that of Mirai, reaching over two million requests-per-second.  The domain is now protected under Google’s Project Shield.  It is also suspected that Meris is behind two other major attacks this year, that of search engine Yandex last week, and a substantial attack against Cloudflare in July, clocking in at 17.2 million request-per-second. MikroTik has issued a statement on the botnet, noting that the compromise of its devices appears to stem from a vulnerability patched in RouterOS in 2018, rather than a zero-day or new vulnerability.  “Unfortunately, closing the vulnerability does not immediately protect these routers,” the company said. “If somebody got your password in 2018, just an upgrade will not help. You must also change [your] password, re-check your firewall [so] it does not allow remote access to unknown parties, and look for scripts that you did not create. We have tried to reach all users of RouterOS about this, but many of them have never been in contact with MikroTik and are not actively monitoring their devices. We are working on other solutions too.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

It is not often in the cybersecurity realm that an indicator is headed in a happy direction, but that is what the overall incident number in the ACSC Annual Cyber Threat Report is doing. For the 2020-21 fiscal year, the Australian Cyber Security Centre (ACSC) responded to 1,630 incidents, which works out to around 31 a week. Compared to the previous financial year, the total number of cybersecurity incidents in the 2020–21 financial year decreased by 28%.Other good news included ACSC not having to respond to any incidents in the top third of its six incident grading categories. In the year prior, it reported a single category 1 incident and four category 2 incidents.Now for the bad news that typically make up these reports. In total, ACSC is seeing a higher category grade being the most reported, with category 4 replacing category 5. Category 4 accounts for 49% whereas last year it accounted for 35% of all incidents. “The highest proportion of incidents the ACSC responded to related to low-level malicious activity such as targeted reconnaissance, phishing, or non-sensitive data loss, accounting for more than half of the cybersecurity incidents,” the report said. The report highlighted the increasing amount of financial losses related to business email compromises (BEC) despite the number of BEC incidents heading lower. Total losses hit to AU$81.5 million, an increase of 15%, and the average loss for each successful BEC transaction jumped 54% to AU$50,600.

ACSC highlighted the bankruptcy of the hedge fund Levitas after false invoices saw it transfer AU$8.7 million to malicious actors. “While the business recovered the majority of its funds, it suffered significant reputational damage and its main client withdrew,” the report said. “This forced the hedge fund to go into receivership and resulted in its bankruptcy. This was likely Australia’s first bankruptcy case as a direct result of a cybercrime incident.” See also: Get patching: US, UK, and Australia issue joint advisory on top 30 exploited vulnerabilitiesThe establishment of a multi-agency BEC taskforce under the Australian Federal Police dubbed Operation Dolos was able to prevent AU$8.5 million being lost to business email compromises. “Despite the headlines, many of the compromises experienced by Australians will continue to be fuelled by a lack of adequate cyber hygiene. This delivers a significant advantage to adversaries and lowers the technical barrier to targeting victims in Australia, highlighting the need to uplift cybersecurity maturity across the Australian economy,” the ACSC said. “Given the prevalence of malicious cyber actors targeting Australian networks — which is often under-reported to the ACSC — there is a strong need for greater resilience, and for Australian organisations and individuals to prepare to respond to and recover from any cyber attack to their networks.” In an area that the Australian Labor Party enjoys banging on about — ransomware — the report said there was a 15% increase to almost 500 ransomware reports for the year. Shadow Assistant Minister for Cyber Security Tim Watts took the opportunity to have another whack at the government. “The Morrison-Joyce Government has utterly failed to take meaningful action to prevent ransomware attacks on Australian organisations despite twelve months of warnings,” he said. “But while the Morrison-Joyce government never misses an opportunity for a dramatic press conference on cybersecurity, it’s missed every opportunity to take the basic actions needed to combat the urgent threat of ransomware despite growing warnings. “Instead, it’s simply blamed the victims, telling businesses it’s up to them to protect themselves against increasingly sophisticated and well-resourced cyber-criminals.” In total terms, ACSC said it experienced a 13% increase in cybercrime reports over 2020-21 to 67,500, with its report per minutes metric dropping from one report every 10 minutes down to every 8 minutes. “A higher proportion of cybersecurity incidents this financial year was categorised by the ACSC as ‘substantial’ in impact. This change is due in part to an increased reporting of attacks by cybercriminals on larger organisations and the observed impact of these attacks on the victims, including several cases of data theft and/or services rendered offline,” the report said. “The increasing frequency of cybercriminal activity is compounded by the increased complexity and sophistication of their operations. The accessibility of cybercrime services — such as ransomware-as-a-service — via the dark web increasingly opens the market to a growing number of malicious actors without significant technical expertise and without significant financial investment.” Going against the population distribution in Australia, Queensland led the way on cybercrime reports followed by Victoria, New South Wales, Western Australia, and South Australia. Although trailing on the absolute numbers, WA and SA reported higher average financial losses. Overall, self-reported financial losses topped AU$33 billion. The report was also far from rosy on the outlook of supply chain compromises like those involving SolarWinds and Microsoft Exchange, describing them as “the new norm”. “Over the next 12 months, additional supply chain compromises will likely come to light, major vulnerabilities will continue to emerge and Australia will experience more major financially motivated cyber incidents, some of which could disrupt critical services,” it said. Related Coverage More

Image: Wiz.io
Users of Azure who are running Linux virtual machines may not be aware they are have a severely vulnerable piece of management software installed on their machine by Microsoft, that can be remotely exploited in an incredibly surprising and equally stupid way. As detailed by Wiz.io, which found four vulnerabilities in Microsoft’s Open Management Infrastructure project, an attacker would be able to gain root access on a remote machine if they sent a single packet with the authentication header removed. “This is a textbook RCE vulnerability that you would expect to see in the 90’s — it’s highly unusual to have one crop up in 2021 that can expose millions of endpoints,” Wiz security researcher Nir Ohfeld wrote. “Thanks to the combination of a simple conditional statement coding mistake and an uninitialized auth struct, any request without an Authorization header has its privileges default to uid=0, gid=0, which is root.” If OMI externally exposes port 5986, 5985, or 1270 then the system is vulnerable. “This is the default configuration when installed standalone and in Azure Configuration Management or System Center Operations Manager. Fortunately, other Azure services (such as Log Analytics) do not expose this port, so the scope is limited to local privilege escalation in those situations,” Ohfeld added. The issue for users, as described by Ohfeld, is that OMI is silently installed when users install log collection, has a lack of public documentation, and runs with root privileges. Wiz found over 65% of Azure customers running Linux it looked at were vulnerable.

In its advisory on the four CVEs released today — CVE-2021-38647 rated 9.8, CVE-2021-38648 rated 7.8, CVE-2021-38645 rated 7.8, and CVE-2021-38649 rated 7.0 — Microsoft said the fix for the vulnerabilities was pushed to its OMI code on August 11 to give its partners time to update before detailing the issues. Users should ensure they are running OMI version 1.6.8.1, with Microsoft adding instructions in its advisories to pull down the OMI updates from its repositories if machines are not updated yet. “System Center deployments of OMI are at greater risk because the Linux agents have been deprecated. Customers still using System Center with OMI-based Linux may need to manually update the OMI agent,” Wiz warned. The vulnerabilities were part of Microsoft’s latest Patch Tuesday. Like many vulnerabilities these days, a catchy name must be attached to them, in this case, Wiz dubbed them OMIGOD. Related Coverage More

Microsoft has released over 60 security fixes and updates resolving issues including a remote code execution (RCE) flaw in MSHTML and other critical bugs.The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, landed on September 14.Products impacted by September’s security update include Azure Open Management Infrastructure, Azure Sphere, Office Excel, PowerPoint, Word, and Access; the kernel, Visual Studio, Microsoft Windows DNS, and BitLocker, among other software.  Read on: On September 7, Microsoft said a remote code execution flaw in MSHTML had been identified and was being used in a limited number of attacks against Windows systems. The zero-day vulnerability, tracked as CVE-2021-40444, has been resolved in this patch round and the firm is urging users to accept the security fix immediately. Some other notable vulnerabilities resolved in this update are: CVE-2021-38647: With a CVSS score of 9.8, this is the most critical bug on September’s list. This vulnerability impacts the Open Management Infrastructure (OMI) program and allows attackers to perform RCE attacks without authentication by sending malicious messages via HTTPS to port 5986.”Some Azure products, such as Configuration Management, expose an HTTP/S port for interacting with OMI (port 5986 also known as WinRMport),” Microsoft says. “This configuration where the HTTP/S listener is enabled could allow remote code execution. It is important to mention that most Azure services that use OMI deploy it without exposing the HTTP/S port.”CVE-2021-36968:  A publicly disclosed Windows DNS privilege escalation zero-day vulnerability, issued a CVSS score of 7.8. Microsoft has not found any evidence, as of yet, of exploitation in the wild.CVE-2021-26435: A critical flaw (CVSS 8.1) in the Microsoft Windows scripting engine. However, this memory corruption flaw requires user interaction to trigger.CVE-2021-36967: A vulnerability, deemed critical and issued a CVSS score of 8.0, in the Windows WLAN AutoConfig service which can be used for elevation of privileges. 

According to the Zero Day Initiative (ZDI), the 66 CVEs — including three critical, one moderate, and the rest deemed important — reveal a volume slightly higher than the average patch rate across 2021, while this is still below 2020 volume. In addition, 20 CVEs were patched by Microsoft Edge (Chromium) earlier in September. In total, 11 of these vulnerabilities were submitted through the Zero Day Initiative, for a total of 86 CVEs.On Wednesday, Microsoft warned of “Azurescape,” a vulnerability mitigated by the Redmond giant that impacts Azure Container Instances (ACI). The bug was reported by a researcher from Palo Alto Networks. Last month, Microsoft resolved 44 vulnerabilities in the August batch of security fixes. In total, three were categorized as zero-day flaws, and 13 allowed attackers to perform RCE attacks. Included in the patch release was a fix for a well-publicized Windows Print Spooler vulnerability which could be weaponized for the purposes of local privilege escalation.A month prior, the tech giant tackled 117 bugs during the July Patch Tuesday.In other security news, Apple has patched a zero-day vulnerability reportedly exploited by NSO Group to spy on users of Mac, iPhone, iPad, and Watch products. In addition, Google has pushed out a security update resolving two zero-day bugs being actively exploited in the wild. Alongside Microsoft’s Patch Tuesday round, other vendors, too, have published security updates which can be accessed below. More

Hollow core fiber has a hollow center filled with air, which runs the entire length of the cable and is encased in a ring of glass.   
Image: BT / Lumenisity
A new type of optical fiber filled with nothing but thin air has been found to be particularly effective to carry out quantum key distribution (QKD), a security protocol that is in principle un-hackable and could play a key role in protecting sensitive data against ever-more sophisticated cyber-attacks. BT experimented with QKD over a six-kilometer-long cable of hollow core fiber, a technology that it has been working on for the past few months as an alternative to traditional fiber optic cables.  Optical fiber is typically made of solid strands of glass that carry information by channeling light signals emitted by laser transmitters. Hollow core fiber, on the other hand, has a hollow center filled with air, which runs the entire length of the cable and is encased in a ring of glass. It turns out that this configuration is better suited to QKD, because it reduces the possibility that different signals interfere with each other and spoil the whole process. 

Quantum Computing

QKD works in a similar way to traditional cryptography: data is encoded into an unreadable message thanks to a cryptography key that the recipient needs to decrypt the information. The method works by encoding the cryptography key onto a quantum particle (or qubit) that is sent to the other person, who measures the qubit in order to obtain the key value. This approach is particularly interesting to security researchers because it is based on the laws of quantum physics, which dictate that qubits collapse as soon as they are measured. This means that if a third-party eavesdrops on the exchange and measures the qubits to figure out the cryptography key, they would inevitably leave behind a sign that they have intruded.  Cryptographers, therefore, call QKD “provably” secure. The method is expected to bring an additional level of safety to data exchanges, especially as hackers develop better tools to crack existing security protocols. 

The technology is nascent, and researchers are looking at various ways to carry out QKD; but one of the most established approaches consists of using optic-fiber cables to send both the qubits that are loaded with the cryptography key, and the actual encrypted message. But when using traditional optical fiber, which is made of glass, the effectiveness of the protocol is limited. This is because the light signals that carry information are likely to spread their wavelengths when travelling through glass, an effect called “crosstalk” that causes channels of light to leak into other channels. For this reason, the encrypted message cannot be sent through the same cable as the qubits, which are exceptionally fragile and susceptible to the noise caused by crosstalk. The whole process, says BT, is comparable to trying to have a whispered conversation next to an orchestra. This is where hollow core fiber could make a big difference. In an air-filled channel, light signals don’t scatter as much, and less crosstalk occurs between channels. In other words, there can be a clear separation between the encrypted data stream and the faint quantum signal that carries the encryption key – even if they are both travelling over the same fiber. Ultimately, therefore, hollow core fiber could be a more efficient candidate for QKD – an “all-in-one” solution that requires less infrastructure to be built. “We know now that if we were to put hollow core fiber in, it could enable us to put quantum channels potentially anywhere we like, without having to worry,” Catherine White, a researcher at BT, tells ZDNet. “Whereas with standard fiber, we either have to assign separate fibers for the QKD system or we have to be really careful not to have too much classical power when doing the planning.” What’s more, in previous trials of the technology, BT has also demonstrated that sending light signals through an air-filled core is much faster than through glass: according to the company, hollow core fiber enables data to travel up to 50% faster than in traditional optical cables.  This means that the technology could also significantly reduce latency in the transmission of data. “This trial shows us the material we can work with, and it has wonderful properties like low latency and low scattering,” says White. BT’s trial remains limited: the experiment didn’t go so far as exchanging actual encrypted data, and instead looked at the behavior of the quantum particle when it was sent alongside a high-power classical channel, in this case a light signal. The success of the trial, says White, lies in the fact that both channels remained healthy, which wouldn’t be the case with standard fiber.  “We were just proving key exchange, not testing encryption in this case,” says White. But parameters from the trial, such as quantum bit error rate, indicate that the system effectively generated a key that could be used to protect data, continued the researcher. Experiments are now underway to apply the configuration to the exchange of data.The next challenge will be to find out whether the technology can be scaled up. BT trialed QKD on a six-kilometer-long cable – still far off other experiments with the protocol in which researchers have managed to deliver quantum particles over hundreds of kilometers.  Earlier this year, for example, researchers from Toshiba Europe’s Cambridge Research Laboratory demonstrated QKD on optical fibers exceeding 600 kilometers in length. White explains that, for all its low-latency and low-scattering properties, the hollow core fiber used in BT’s trial is not low-loss, which is a crucial property to extend the reach of QKD. Researchers, however, are working on fine-tuning the material to improve its performance in that respect. “Findings show that, when tuning the fiber for particular wavelengths, we are able to have astoundingly low loss,” says White. “This is very promising and we will see further developments.” “It does mean that hollow core fiber could potentially help reach longer reaches of QKD than we’ve seen,” she added. 

Innovation More

Banks have been “disproportionately affected” by a surge in ransomware attacks, clocking a 1,318% increase year-on-year in 2021.

Ransomware has become one of the most well-known and prevalent threats against the enterprise today. This year alone, we have seen high-profile cases of ransomware infection — including against Colonial Pipeline, Kaseya, and Ireland’s health service — cause everything from business disruption to fuel shortages, declarations of national emergency, and restricted medical care.  These attacks are performed for what can end up being multi-million dollar payouts and now these campaigns are becoming easier to perform with initial access offerings becoming readily available to purchase online, cutting out the time-consuming legwork necessary to launch ransomware on a corporate network.  There are a number of trends in the ransomware space of note, including: Payouts: After DarkSide forced Colonial Pipeline to take fuel pipes out of operation, prompting panic-buying across the US, the firm paid a $4.4 million ransom. CEO Joseph Blount said it was the “right thing to do for the country.” The largest ransom payment stands at over $30 million. High revenue: After analyzing online criminal activity, KELA says that organizations with annual revenue of over $100 million are considered the most attractive. Initial Access Brokers (IABs): IABs have become an established criminal business, often sought-after by ransomware groups looking for their next target.Preferred methods of access include RDP and VPN credentials or vulnerabilities. English speakers are also in high demand to take over the negotiation aspects of a successful attack.Leak sites: Ransomware groups will now often threaten to leak sensitive data stolen during an attack if a victim does not pay. Cisco Secure calls this a “one-two-punch” extortion method. Cartels: Researchers have found that ‘cartels’ are also forming, in which ransomware operators share information and tactics.In a cybersecurity threat roundup report published on Tuesday, researchers from Trend Micro said that during the first half of this year, ransomware remained a “standout threat” with large companies particularly at risk — due to their revenue and the prospect of big payouts — in what is known as “big-game hunting.” During the first six months of 2021, 7.3 million ransomware-related events were detected, the majority of which were WannaCry and Locky variants.  However, this is approximately half the number of detections during the same period in 2020, a decline the researchers have attributed to a shift away from low-value attempts to big-game hunts. 

“An incident with the DarkSide ransomware [Colonial Pipeline attack] brought heightened attention to ransomware operators, which might have prompted some of them to lie low,” the researchers say. “Meanwhile, law enforcement agencies across the world conducted a series of ransomware operations takedowns that might have left an impact on wide-reaching active groups.” Banking, government entities, and manufacturing remain top targets for ransomware operators today.
Trend Micro
Open source and legitimate penetration testing or cybersecurity tools are also being widely abused by these threat actors. Cobalt Strike, PsExec, Mimikatz, and Process Hacker are noted in the report as present in the arsenals of Ransomware-as-a-Service (RaaS) groups including Clop, Conti, Maze, and Sodinokibi. In addition to ransomware, Business email compromise (BEC) rates have also increased slightly, by 4%, and cryptocurrency miners are now one of the most common strains of malware detected in the wild.  Trend Micro has also explored how misinformation relating to the COVID-19 pandemic is being used to spread malware. Phishing, social media, and social engineering are commonly employed to lure users into clicking on malicious attachments or visiting fraudulent domains, and coronavirus-related themes generally relate now not to the disease itself, but to testing and vaccination projects.  Malicious apps are part of the spread, some of which are spreading banking Remote Access Trojans (RATs) including Cerberus and Anubis.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new cybercrime report from LexisNexis Risk Solutions has found that bot attacks are up significantly in 2021, growing by 41% in the first half of the year.The biannual report found that the financial services industry and media businesses are facing the brunt of bot attacks while human-initiated attacks fell by 29%. According to the report, financial services companies saw 683 million bot attacks from January to June, while media companies dealt with 351 million, up 174% year over year. The LexisNexis Risk Solutions Cybercrime report is compiled by analysing 28.7 billion transactions over the six-month period through LexisNexis’ Digital Identity Network. Digital transactions overall are up nearly 30% this year.LexisNexis Risk Solutions researchers wrote that the United States still leads the way as the largest originator of automated bot attacks by volume, followed by the UK, Japan, Canada, Spain, Brazil, Ireland, India, Mexico and Germany. Stephen Topliss, vice president of fraud and identity for LexisNexis Risk Solutions, said the report confirms that cybercriminals are increasingly relying on automated processes but also highlights that fraudsters are further establishing sophisticated and expansive networks to conduct fraud.”Explosive transaction and user growth rates in industry sectors such as virtual banks and buy now pay later are likely exposing emergent risks for these newer businesses as they grab the attention of fraudsters,” Topliss said. “The digital businesses that survive and thrive will be those that deploy layered cybercrime prevention solutions as they scale.”Bot attacks increased worldwide, with every region recording growth in bot volume in the first half of 2021. The Asia Pacific region saw the most growth alongside South America. 

Cybercriminals are industrializing fraud by “leveraging mass data breaches, sophisticated automated tools, and deep dark-web intelligence,” according to the report, which explained that due to limited in-person banking options at the beginning of the COVID-19 pandemic, many people turned to digital financial products and never looked back. Financial services companies are increasingly attacked through payment transactions, which “continue to be attacked at a higher rate than any other industry.” Media companies also face a significant number of new account creation attacks, with criminals using media organizations as a way to test stolen identity data. The report notes that there has also been an increase in attacks on cryptocurrency wallets. The researchers added that the future looks uncertain as economies around the globe look to rebuild after the COVID-19 pandemic.”Where fraud had been so heavily targeted on COVID-related stimulus packages and related scams, how will this approach evolve as support is wound up and economies start to rebuild? Will fraudsters start to capitalize on the fruits of their bot labors and use validated credentials in higher-volume human-initiated attacks?” the researchers wrote. “Will scams, targeting vulnerable and new-to-digital customers, continue to proliferate? How vulnerable will new payment methods and digital platforms — such as buy-now-pay-later — become in the face of economic uncertainty?” More