US-CERT- AA22-057A: Update: Destructive Malware Targeting Organizations in Ukraine

Started by Netwörkheäd, April 28, 2022, 12:05:15 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Netwörkheäd

April 28, 2022, 12:05:15 PM
AA22-057A: Update: Destructive Malware Targeting Organizations in Ukraine

[html]Original release date: February 26, 2022 | Last revised: April 28, 2022

Summary

Actions to Take Today:

• Set antivirus and antimalware programs to conduct regular scans.

• Enable strong spam filters to prevent phishing emails from reaching end users.

• Filter network traffic.

• Update software.

• Require multifactor authentication.



(Updated April 28, 2022) This advisory has been updated to include additional Indicators of Compromise (IOCs) for WhisperGate and technical details for HermeticWiper, IsaacWiper, HermeticWizard, and CaddyWiper destructive malware, all of which have been deployed against Ukraine since January 2022. Additional IOCs associated with WhisperGate are in the Appendix, and specific malware analysis reports (MAR) are hyperlinked below.  





(end of update)



Leading up to Russia's https://www.cisa.gov/shields-up">unprovoked attack against Ukraine, threat actors deployed destructive malware against organizations in Ukraine to destroy computer systems and render them inoperable. 





Destructive malware can present a direct threat to an organization's daily operations, impacting the availability of critical assets and data. Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries. Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event. 



This joint Cybersecurity Advisory (CSA) between the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) provides information on WhisperGate and HermeticWiper malware as well as open-source indicators of compromise (IOCs) for organizations to detect and prevent the malware. Additionally, this joint CSA provides recommended guidance and considerations for organizations to address as part of network architecture, security baseline, continuous monitoring, and incident response practices.



Download the https://us-cert.cisa.gov/sites/default/files/publications/AA22-057A_Destructive_Malware_Targeting_Organizations_in_Ukraine.pdf">Joint Cybersecurity Advisory: Update: Destructive Malware Targeting Organizations in Ukraine (pdf, 559kb).

https://us-cert.cisa.gov/sites/default/files/publications/AA22-057A.stix.xml">Click here for STIX.


Technical Details

Threat actors have deployed destructive malware, including both WhisperGate and HermeticWiper, against organizations in Ukraine to destroy computer systems and render them inoperable. Listed below are high-level summaries of campaigns employing the malware. CISA recommends organizations review the resources listed below for more in-depth analysis and see the Mitigation section for best practices on handling destructive malware.   



On January 15, 2022, Microsoft announced the identification of a sophisticated malware operation targeting multiple organizations in Ukraine. The malware, known as WhisperGate, has two stages that corrupts a system's master boot record, displays a fake ransomware note, and encrypts files based on certain file extensions. Note: although a ransomware message is displayed during the attack, Microsoft highlighted that the targeted data is destroyed, and is not recoverable even if a ransom is paid. See Microsoft's blog on https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/">Destructive malware targeting Ukrainian organizations for more information and see the IOCs in table 1. 



Table 1: IOCs associated with WhisperGate




   
      
         
         
         
         
      
   
   
      
         
         
         
         
      
      
         
         
         
         
      
   
NameFile CategoryFile HashSource
WhisperGate  stage1.exe 
         

https://www.virustotal.com/gui/file/a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92">a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92


         		https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/">Microsoft MSTIC  
WhisperGatestage2.exe
         

https://www.virustotal.com/gui/file/dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78">dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78


         
         

https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/">Microsoft MSTIC


         


 



(Updated April 28, 2022) See Appendix: Additional IOCs associated with WhisperGate.



On February 23, 2022, cybersecurity researchers disclosed that malware known as HermeticWiper was being used against organizations in Ukraine. According to SentinelLabs, the malware targets Windows devices, manipulating the master boot record and resulting in subsequent boot failure. Note: according to Broadcom Software, "[HermeticWiper] has some similarities to the earlier WhisperGate wiper attacks against Ukraine, where the wiper was disguised as ransomware." See the following resources for more information and see the IOCs in table 2 below. 





Table 2: IOCs associated with HermeticWiper




   
      
         
         
         
         
      
   
   
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
   
NameFile CategoryFile HashSource
Win32/KillDisk.NCVTrojan912342F1C840A42F6B74132F8A7C4FFE7D40FB77

         61B25D11392172E587D8DA3045812A66C3385451

          		https://twitter.com/ESETresearch/status/1496581916367151115?s">ESET research
HermeticWiperWin32 EXE912342f1c840a42f6b74132f8a7c4ffe7d40fb77
         

https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/">SentinelLabs


         
HermeticWiperWin32 EXE61b25d11392172e587d8da3045812a66c3385451
         

https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/">SentinelLabs


         
RCDATA_DRV_X64ms-compresseda952e288a1ead66490b3275a807f52e5
         

https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/">SentinelLabs


         
RCDATA_DRV_X86ms-compressed231b3385ac17e41c5bb1b1fcb59599c4
         

https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/">SentinelLabs


         
RCDATA_DRV_XP_X64ms-compressed095a1678021b034903c85dd5acb447ad
         

https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/">SentinelLabs


         
RCDATA_DRV_XP_X86 ms-compressedeb845b7a16ed82bd248e395d9852f467
         

https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/">SentinelLabs


         
Trojan.KilldiskTrojan.Killdisk 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia">Symantec Threat Hunter Team
Trojan.KilldiskTrojan.Killdisk0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia">Symantec Threat Hunter Team
Trojan.KilldiskTrojan.Killdiska64c3e0522fad787b95bfb6a30c3aed1b5786e69e88e023c062ec7e5cebf4d3ehttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia">Symantec Threat Hunter Team
RansomwareTrojan.Killdisk4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia">Symantec Threat Hunter Team

Mitigations

Best Practices for Handling Destructive Malware



As previously noted above, destructive malware can present a direct threat to an organization's daily operations, impacting the availability of critical assets and data. Organizations should increase vigilance and evaluate their capabilities, encompassing planning, preparation, detection, and response, for such an event. This section is focused on the threat of malware using enterprise-scale distributed propagation methods and provides recommended guidance and considerations for an organization to address as part of their network architecture, security baseline, continuous monitoring, and incident response practices. 



CISA and the FBI urge all organizations to implement the following recommendations to increase their cyber resilience against this threat.



Potential Distribution Vectors



Destructive malware may use popular communication tools to spread, including worms sent through email and instant messages, Trojan horses dropped from websites, and virus-infected files downloaded from peer-to-peer connections. Malware seeks to exploit existing vulnerabilities on systems for quiet and easy access.



The malware has the capability to target a large scope of systems and can execute across multiple systems throughout a network. As a result, it is important for organizations to assess their environment for atypical channels for malware delivery and/or propagation throughout their systems. Systems to assess include:




       
  • Enterprise applications – particularly those that have the capability to directly interface with and impact multiple hosts and endpoints. Common examples include:
       

            
    • Patch management systems,

      •       
    • Asset management systems,

      •       
    • Remote assistance software (typically used by the corporate help desk),

      •       
    • Antivirus (AV) software,

      •       
    • Systems assigned to system and network administrative personnel,

      •       
    • Centralized backup servers, and

      •       
    • Centralized file shares.

      •    

       



While not only applicable to malware, threat actors could compromise additional resources to impact the availability of critical data and applications. Common examples include:




       
  • Centralized storage devices
       

            
    • Potential risk – direct access to partitions and data warehouses.

      •    

       

    •    
  • Network devices
       

            
    • Potential risk – capability to inject false routes within the routing table, delete specific routes from the routing table, remove/modify, configuration attributes, or destroy firmware or system binaries—which could isolate or degrade availability of critical network resources.

      •    

       



Best Practices and Planning Strategies



Common strategies can be followed to strengthen an organization's resilience against destructive malware. Targeted assessment and enforcement of best practices should be employed for enterprise components susceptible to destructive malware.



Communication Flow



       
  • Ensure proper network segmentation.

    •    
  • Ensure that network-based access control lists (ACLs) are configured to permit server-to-host and host-to-host connectivity via the minimum scope of ports and protocols and that directional flows for connectivity are represented appropriately.
       

            
    • Communications flow paths should be fully defined, documented, and authorized.

      •    

       

    •    
  • Increase awareness of systems that can be used as a gateway to pivot (lateral movement) or directly connect to additional endpoints throughout the enterprise.
       

            
    • Ensure that these systems are contained within restrictive Virtual Local Area Networks (VLANs), with additional segmentation and network access controls.

      •    

       

    •    
  • Ensure that centralized network and storage devices' management interfaces reside on restrictive VLANs.
       

            
    • Layered access control, and

      •       
    • Device-level access control enforcement – restricting access from only pre-defined VLANs and trusted IP ranges.

      •    

       



Access Control



       
  • For enterprise systems that can directly interface with multiple endpoints:
       

            
    • Require multifactor authentication for interactive logons.

      •       
    • Ensure that authorized users are mapped to a specific subset of enterprise personnel.
            

                 
      • If possible, the "Everyone," "Domain Users," or the "Authenticated Users" groups should not be permitted the capability to directly access or authenticate to these systems.

        •       

            

      •       
    • Ensure that unique domain accounts are used and documented for each enterprise application service.
            

                 
      • Context of permissions assigned to these accounts should be fully documented and configured based upon the concept of least privilege.

        •          
      • Provides an enterprise with the capability to track and monitor specific actions correlating to an application's assigned service account.

        •       

            

      •       
    • If possible, do not grant a service account with local or interactive logon permissions.
            

                 
      • Service accounts should be explicitly denied permissions to access network shares and critical data locations.

        •       

            

      •       
    • Accounts that are used to authenticate to centralized enterprise application servers or devices should not contain elevated permissions on downstream systems and resources throughout the enterprise.

      •    

       

    •    
  • Continuously review centralized file share ACLs and assigned permissions.
       

            
    • Restrict Write/Modify/Full Control permissions when possible.

      •    

       



Monitoring



       
  • Audit and review security logs for anomalous references to enterprise-level administrative (privileged) and service accounts.
       

            
    • Failed logon attempts,

      •       
    • File share access, and

      •       
    • Interactive logons via a remote session.

      •    

       

    •    
  • Review network flow data for signs of anomalous activity, including:
       

            
    • Connections using ports that do not correlate to the standard communications flow associated with an application,

      •       
    • Activity correlating to port scanning or enumeration, and

      •       
    • Repeated connections using ports that can be used for command and control purposes.

      •    

       

    •    
  • Ensure that network devices log and audit all configuration changes.
       

            
    • Continually review network device configurations and rule sets to ensure that communications flows are restricted to the authorized subset of rules.

      •    

       



File Distribution



       
  • When deploying patches or AV signatures throughout an enterprise, stage the distributions to include a specific grouping of systems (staggered over a pre-defined period).
       

            
    • This action can minimize the overall impact in the event that an enterprise patch management or AV system is leveraged as a distribution vector for a malicious payload.

      •    

       

    •    
  • Monitor and assess the integrity of patches and AV signatures that are distributed throughout the enterprise.
       

            
    • Ensure updates are received only from trusted sources,

      •       
    • Perform file and data integrity checks, and

      •       
    • Monitor and audit – as related to the data that is distributed from an enterprise application.

      •    

       



System and Application Hardening



       
  • Ensure robust vulnerability management and patching practices are in place. 
       

            
    • CISA maintains https://cisa.gov/known-exploited-vulnerabilities">a living catalog of known exploited vulnerabilities that carry significant risk to federal agencies as well as public and private sectors entities. In addition to thoroughly testing and implementing vendor patches in a timely—and, if possible, automated— manner, organizations should ensure patching of the vulnerabilities CISA includes in this catalog.

      •    

       

    •    
  • Ensure that the underlying operating system (OS) and dependencies (e.g., Internet Information Services [IIS], Apache, Structured Query Language [SQL]) supporting an application are configured and hardened based upon industry-standard best practice recommendations. Implement application-level security controls based on best practice guidance provided by the vendor. Common recommendations include:
       

            
    • Use role-based access control,

      •       
    • Prevent end-user capabilities to bypass application-level security controls,
            

                 
      • For example, do not allow users to disable AV on local workstations.

        •       

            

      •       
    • Remove, or disable unnecessary or unused features or packages, and

      •       
    • Implement robust application logging and auditing.

      •    

       



Recovery and Reconstitution Planning


A https://www.ready.gov/business-impact-analysis">business impact analysis (BIA) is a key component of contingency planning and preparation. The overall output of a BIA will provide an organization with two key components (as related to critical mission/business operations):




       
  • Characterization and classification of system components, and

    •    
  • Interdependencies.



Based upon the identification of an organization's mission critical assets (and their associated interdependencies), in the event that an organization is impacted by destructive malware, recovery and reconstitution efforts should be considered.



To plan for this scenario, an organization should address the availability and accessibility for the following resources (and should include the scope of these items within incident response exercises and scenarios):




       
  • Comprehensive inventory of all mission critical systems and applications:
       

            
    • Versioning information,

      •       
    • System/application dependencies,

      •       
    • System partitioning/storage configuration and connectivity, and

      •       
    • Asset owners/points of contact.

      •    

       

    •    
  • Contact information for all essential personnel within the organization,

    •    
  • Secure communications channel for recovery teams,

    •    
  • Contact information for external organizational-dependent resources:
       

            
    • Communication providers,

      •       
    • Vendors (hardware/software), and

      •       
    • Outreach partners/external stakeholders

      •    

       

    •    
  • Service contract numbers – for engaging vendor support,

    •    
  • Organizational procurement points of contact,

    •    
  • Optical disc image (ISO)/image files for baseline restoration of critical systems and applications:
       

            
    • OS installation media,

      •       
    • Service packs/patches,

      •       
    • Firmware, and

      •       
    • Application software installation packages.

      •    

       

    •    
  • Licensing/activation keys for OS and dependent applications,

    •    
  • Enterprise network topology and architecture diagrams,

    •    
  • System and application documentation,

    •    
  • Hard copies of operational checklists and playbooks,

    •    
  • System and application configuration backup files,

    •    
  • Data backup files (full/differential),

    •    
  • System and application security baseline and hardening checklists/guidelines, and

    •    
  • System and application integrity test and acceptance checklists.



Incident Response


Victims of a destructive malware attacks should immediately focus on containment to reduce the scope of affected systems. Strategies for containment include:




       
  • Determining a vector common to all systems experiencing anomalous behavior (or having been rendered unavailable)—from which a malicious payload could have been delivered:
       

            
    • Centralized enterprise application,

      •       
    • Centralized file share (for which the identified systems were mapped or had access),

      •       
    • Privileged user account common to the identified systems,

      •       
    • Network segment or boundary, and

      •       
    • Common Domain Name System (DNS) server for name resolution.

      •    

       

    •    
  • Based upon the determination of a likely distribution vector, additional mitigation controls can be enforced to further minimize impact:
       

            
    • Implement network-based ACLs to deny the identified application(s) the capability to directly communicate with additional systems,
            

                 
      • Provides an immediate capability to isolate and sandbox specific systems or resources.

        •       

            

      •       
    • Implement null network routes for specific IP addresses (or IP ranges) from which the payload may be distributed,
            

                 
      • An organization's internal DNS can also be leveraged for this task, as a null pointer record could be added within a DNS zone for an identified server or application.

        •       

            

      •       
    • Readily disable access for suspected user or service account(s),

      •       
    • For suspect file shares (which may be hosting the infection vector), remove access or disable the share path from being accessed by additional systems, and

      •       
    • Be prepared to, if necessary, reset all passwords and tickets within directories (e.g., changing golden/silver tickets). 

      •    

       



As related to incident response and incident handling, organizations are encouraged to report incidents to the FBI and CISA (see the Contact section below) and to preserve forensic data for use in internal investigation of the incident or for possible law enforcement purposes. See https://www.cisa.gov/uscert/ncas/alerts/aa20-245a">Technical Approaches to Uncovering and Remediating Malicious Activity for more information.





Contact Information

All organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at https://us-cert.cisa.govmailto:central@cisa.dhs.gov">central@cisa.dhs.gov or (888) 282-0870 and/or to the FBI via your https://www.fbi.gov/contact-us/field-offices">local FBI field office or the FBI's 24/7 CyWatch at (855) 292-3937 or https://us-cert.cisa.govmailto:CyWatch@fbi.gov">CyWatch@fbi.gov.



Resources





Updated April 28, 2022:



Appendix: Additional IOCS Associated with WhisperGate



The hashes in Table 3 contain malicious binaries, droppers, and macros linked to WhisperGate cyber actors activity. The binaries are predominantly .Net and are obfuscated. Obfuscation varies; some of the binaries contain multiple layers of obfuscation. Analysis identified multiple uses of string reversal, character replacement, base64 encoding, and packing. Additionally, the malicious binaries contain multiple defenses including VM checks, sandbox detection and evasion, and anti-debugging techniques. Finally, the sleep command was used in varying lengths via PowerShell to obfuscate execution on a victim's network. 

All Microsoft .doc files contain a malicious macro that is base64 encoded. Upon enabling the macro, a PowerShell script runs a sleep command and then downloads a file from an external site. The script connects to the external website via HTTP to download an executable. Upon download, the executable is saved to C:\Users\Public\Documents\ filepath on the victim host. 

An identified zip file was found to contain the Microsoft Word file macro_t1smud.doc. Once the macro is enabled, a bash script runs a sleep command and the script connects to htxxps://the.earth.li/~sgtatham/putty/latest/w32/putty.exe. This binary is likely the legitimate Putty Secure Shell binary. Upon download the file is saved to C:\Users\Public\Documents\ file path.



Profile of Malicious Hashes




       
  • Saintbot (and related .Net loaders) 

    •    
  • WhisperGate Malware and related VB files 

    •    
  • Quasar RAT 

    •    
  • .NET Infostealer malware

    •    
  • Telegram Bot

    •    
  • Multiple Loaders (mostly utilizing PowerShell that pull down a jpg or bin files)

    •    
  • Jpg/PNG files = obfuscated executables

    •    
  • antidef.bat = likely a bat file to disable Windows Defender



Table 3: Additional IOCs associated with WhisperGate




   
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         

         

Hash


         
         

Associated Files


         

         

647ebdca2ef6b74b17bb126df19bf0ed88341650


         
         

loader2132.exe


         

         

24f71409bde9d01e3519236e66f3452236302e46


         
         

saint.exe


         

         

1e3497ac435936be06ba665a4acd06b850cf56b4


         
         

loader.exe


         

         

981319f00b654d0142430082f2e636ef69a377d9


         
         

Yudjcfoyg.exe


         

         

e0dbe49c9398a954095ee68186f391c288b9fcc5


         
         

Project_1.exe


         

         

0ba64c284dc0e13bc3f7adfee084ed25844da3d2


         
         

Hjtiyz.jpg


         

         

6b8eab6713abb7c1c51701f12f23cdff2ff3a243


         
         

Ltfckzl.jpg


         

         

3bbb84206f0c81f7fd57148f913db448a8172e92


         
         

Vgdnggv.jpg


         

         

7c77b1c72a2228936e4989de2dfab95bfbbbc737


         
         

Pfiegomql.jpg


         

         

c0cd6f8567df73e9851dbca4f7c4fbfe4813a2e1


         
         

Fezpwij.jpg


         

         

d6830184a413628db9946faaae8b08099c0593a0


         
         

Bqpptgcal.jpg


         

         

d083da96134924273a7cbc8b6c51c1e92de4f9e1


         
         

loader.jpg


         

         

d599f16e60a916f38f201f1a4e6d73cb92822502


         
         

Debythht.jpg


         

         

9b9374a5e376492184a368fcc6723a7012132eae


         
         

Dmhdgocsp.jpg


         

         

86bd95db7b514ea0185dba7876fa612fae42b715


         
         

Zysyrokzk.jpg


         

         

e7917df9feabfedae47d8b905136d52cb5cb7f37


         
         

Baeipiyd.jpg


         

         

b2d863fc444b99c479859ad7f012b840f896172e


         
         

Tbopbh.jpg


         

         

d85e1614cf4a1e9ec632580b62b0ecb5f8664352


         
         

Lxkdjr.jpg


         

         

08f0b0d66d370151fd8a265b1f9be8be61cc1aa9


         
         

Twojt.bin


         

         

5ac592332a406d5b2dcfc81b131d261da7e791d2


         
         

Rvlxi.bin


         

         

052825569c880212e1e39898d387ef50238aaf35


         
         

Yarfe.bin


         

         

4c2a0f44b176ba83347062df1d56919a25445568


         
         

Ftvqpq.bin


         

         

d51214461fc694a218a01591c72fe89af0353bc1


         
         

Pkbsu.bin


         

         

1125b2c3c91491aa71e0536bb9a8a1b86ff8f641


         
         

Pkcxiu.bin


         

         

37f54f121bcae65b4b3dd680694a11c5a5dfc406


         
         

loader.bin


         

         

4facd9a973505bb00eb1fd9687cbab906742df73


         
         

loader.bin


         

         

376a2339cbbb94d33f82dea2ea78bb011485e0d9


         
         

Qmpnrffn.bin


         

         

b6793fc62b27ee3cce24e9e63e3108a777f71904


         
         

Vpzhote.bin


         

         

1fc463b2f53ba0889c90cc2b7866afae45a511de


         
         

Yymmdbfrb.bin


         

         

ff71f9defc2dd27b488d961ce0fbc6ece56b2962


         
         

Zlhmmwutx.bin


         

         

13ca079770f6f9bdddfea5f9d829889dc1fbc4ed


         
         

Xhlnfjeqy.bin


         

         

c99c982d1515ade3da81268e79f5e5f7d550aabd


         
         

Gpfsqm.png


         

         

d6ffa42548ff12703e38c5db6c9c39c34fe3d82a


         
Let's not argue. Let's network!
Print
Go Up Pages1
User actions