Veeam 12.3 – Security Features Recap & Tips

INTRODUCTION

The topic of security is on the daily agenda for us professionals in the IT world nowadays: news of hacker attacks, data breaches, and ransomware requests are no longer news, but are unfortunately everyday occurrences.

đź’ˇ: for staying up-to-date on the latest ransomware attacks around the world and many other insights on the topic I suggest checking out the Ransomware Live site

In this scenario, Veeam Data Platform 12.3 helps us protect our data and reduce the impacts of a cyberattack.

Let’s find out what are all the security-oriented features built into the software.


SECURITY FEATURES


The latest Veeam 12.3 release brings with it many security features that have been gradually introduced and improved over the years by the leading US Data Protection company.


Security and Compliance Analyzer

It is a tool integrated into the VBR console, it analyzes several configurations of backup infrastructure components by checking compliance with suggested security best practices.

Some examples: disabling obsolete/vulnerable protocols, verifying presence of hardened/immutable repositories, 3-2-1 rule, encryption password complexity, having the latest patches installed

đź’ˇ: you can schedule the automatic scan and send it via email

Malware detection

It is the real engine of cybersecurity built into Veeam 12.3, and includes several features. Below are the details:


1) guest index data scan

Supported for VMWare, Hyper-V, Nutanix, and Veeam Agent for Windows backups, allows you to scan the indexes of a file system (upon enabling the “guest file system indexing” option on the backup job) and flag any suspicious files/extensions with a specific event in the VBR console.



It is managed by the Veeam Data Analyzer Service, which at the end of each backup compares the indexing contents with the “SuspiciousFiles.xml” file, where indeed a (customizable) list of suspicious files and extensions is contained.

đź’ˇ: for backup servers that have internet browsing blocked to Veeam addresses as well, you can manually update the list of suspicious files by downloading the “SuspiciousFiles.xml” file following this KB

This xml file also contains a list of the IoCs (Indicators of Compromise) selected from the matrix developed by the MITRE ATT&CK, i.e., files that are not malicious but may indicate the presence of suspicious activity in progress. In this case, the Veeam Data Analyzer Service compares the indexing file of the last two restore points (created at least 25 hours and maximum 30 days apart), looking for any potential indicators of compromise. It is also possible here to choose which default IoCs to monitor and which not.



Another feature also managed by the Veeam Data Analyzer Service is the one that identifies any multiple file deletions: by comparing the indexing file of the last two restore points (created within a time window of at least 25 hours and maximum 30 days), if there are at least 100 files of a specific extension and in the last restore point more than 50 percent of the total are deleted, a malware detection event is created. Extensions are recorded in the file “TrackedFiles.xml”, which can be customized by changing the parameters of Thresholdpercent and Thresholdfiles, or even adding specific extensions or ignoring file system paths that we do not intend to monitor.

Finally, with the same logic of comparing the indexes of two restore points, the presence of multiple extension changes is also identified; based on the occurrence of certain conditions, this time not customizable, such as at least 200 files with new extension and not present in the “SuspiciousFiles.xml”, a malware detection event is triggered.

💡: logs of malware detection events, in addition to the dedicated section within the VBR console, can be accessed in the default path “C:\ProgramData\Veeam\Backup\Malware_Detection_Logs”

đź’ˇ: you must also consider that by default the indexing data is kept in the Veeam Catalog for 14 days. If you want to increase this value, you can use the Veeam Enterprise Manager, which will maintain an extra copy of the Catalog with configurable duration

2) inline scan

While the features just described are based on post-backup analysis at the file system level, inline scan acts at the image/block level during a backup, detecting possible entropy generated by malware, such as encrypted files or artifacts, text files that may contain onion links or ransomware notes.
Technically, during each backup session on the Veeam Proxy used, files are generated (RIDX format, one file for each virtual disk processed) containing the disk metadata (disk name, creation time, disk size, used size, sector size, partition table) and ransomware data (encrypted data, file types, onion addresses, ransomware notes). After the backup is complete, these files are copied to the VBR Catalog, and scanned by the usual Veeam Data Analyzer Service, which will then save the results of its analysis in the “RansomwareIndexAnalyzeState.xml” file. When a new restore point appears, the service compares the most recent and oldest RIDX file (created in a time window of 25 hours and maximum 30 days), going on to update the “RansomwareIndexAnalyzeState.xml” file. If anything suspicious is identified, a malware detection event is created and the object, the specific virtual machine, marked as “suspicious”.


đź’ˇ: the inline scan feature is disabled by default; in case you want to enable it, keep in mind that it increases the CPU usage of the proxies and RAM/Disk space of the VBR

💡: to check in detail which files have been identified as “encrypted data,” use the procedure provided in this KB


3) scan backup – signature detection

Using this feature it is possible to find a clean restore point (not infected with malware) or to identify specific information, such as sensitive data. Currently, scanning only Windows servers (VMs or agents) via, precisely, a Veeam mount Windows server is supported.

There are three engines that can be used for scanning:

  • veeam threat hunter, a Veeam service automatically installed on mount servers and running in the background. Before each scan, it is checked for any malware signature updates. đź’ˇ: a registry key can be set to configure file and folder exclusions from the scan

  • 3rd party av, as an alternative to the veeam threat hunter, you can use a third party antivirus pre-installed on the mount server; you can find information about the default avs and add custom ones using the “AntivirusInfos.xml” file in the mount server.

  • yara rule: using files with a well-defined syntax, it is possible to search for infected restore points or sensitive data. In the former case, if a clean restore point is not found, a malware detection event is generated.

Whenever the scan finds a restore point that is not clean, it is marked as “infected”. If the scan session finds at least one clean restore point, it ends in “success,” otherwise in “failed.”


đź’ˇ: it is possible to suppress the event generation by inserting this line within the yara file: <rule SearchFileHash : SuppressMalwareDetectionNotification>


đź’ˇ: the complete scan logs can be found in the following directory of the mount server C:\ProgramData\Veeam\Backup\FLRSessions\Windows\FLR__<machinename>_\Antivirus


Secure restore

This feature allows the scan engines described above to be exploited during a restore.

Specifically, the following scenarios are supported:

â—¦ Instant Recovery
â—¦ Virtual Disks Restore
â—¦ Entire VM Restore
â—¦ Restore to Microsoft Azure
â—¦ Restore to Amazon EC2
â—¦ Restore to Google Compute Engine
â—¦ Disk Export


đź’ˇ: you can schedule automatic scanning of backups using SureBackup

đź’ˇ: if you have VRO, you can take full advantage of automation features in a clean room environment

Incident API

Veeam not only leverages its own malware detection capabilities, but also offers the ability to integrate third-party tools.
By exposing Veeam’s specific REST API, external monitoring and analysis tools are able to automate incident management and incident response processes to the point of involving the backup infrastructure as well.
In fact, an automatic quick backup can be launched upon receipt of an external threat detection event.

Syslog integration

Within Veeam it is possible to configure the forwarding of events to external syslogs, following the RFC 5424 standard

It is possible to exclude the forwarding of certain events, either by entering them manually in the interface or via xml files.

đź’ˇ: the full list of events managed by Veeam 12.3 can be found here

đź’ˇ: for advanced configurations please refer to this KB



Analytics View – Veeam Threat Center

It is possible to integrate within the VBR console the view of some Veeam ONE dashboards, such as the Veeam Threat Center one, which embeds a set of information about the global security and compliance status of our backup infrastructure.

Recon scanner

This feature is one of the latest additions to the Veeam Data Platform, and is based on technology developed by Coveware, a leading Cybersecurity Incident Response company acquired by Veeam in April 2024.

It consists of installing an agent in VBR environments that continuously collects data in order to proactively identify possible suspicious activity or the use of TTPs.

With each full system scan, the agent the results can be viewed directly in the dedicated Coveware portal.

đź’ˇ: it requires Veeam Data Platform Premium license version

External projects: Veeam decoy / Veeam vScan

It is also right to mention two external open source projects, but also maintained by the Veeam community. These are Veeam Decoys and Veeam vScan, which always fall under the security domain.

The former is a system simulates multiple Veeam and Windows services, such as Veeam Backup Server services, Veeam Hardened Repository, Veeam Windows Repository, Veeam Backup Enterprise Manager, etc. .
All captured connection attempts, including information such as source port, source ip, or credentials used, can be sent to a centralized syslog or via email.

The second allows vulnerability assessments to be performed on existing backup data, using the open source tools Trivy and Grype.

CONCLUSION


In short, as we have seen the security features present in Veeam Data Platform 12.3 are numerous and useful.

We are now waiting to find out what’s new in the next versions! đź’š

Veeam Vulnerability Scan Project

After the Veeam Decoy Project a few months ago, here is another very interesting tool developed for the Veeam community.

This is once again an open source project in the security area: integrated with Veeam Backup & Replication, it enables vulnerability assessments on existing backup data, using the open source tools Trivy and Grype.

The solution is designed to help manage situations such as security incidents, during which a specific server may be required to be restored at a specific point in time. Using vScan, it is possible to analyze that backup and check what vulnerabilities it has at the OS level (Linux only) before putting it back into production.

What would happen, in fact, if an attacker was still in our network ready to exploit our systems again?

Let’s explore some details of this tool.

Installation requirements

  • OS (client): Windows 10+
  • CPU: 1 core
  • RAM: 512 MB
  • Disk: 500 MB
  • Software: VBR console e Veeam Powershell module
  • Veeam version: 12.x
  • Linux server for scan: Rocky Linux 9.x / Ubuntu 22.x
  • Backup support: vSphere VM, Linux OS
  • Credentials Linux Server for Scan: root or user with sudo
  • Ports: 9392, 22, 587
  • Internet Access

You can download the software from the following address: https://github.com/VeeamHub/veeam-vscan-security

Method of use

  • Open the application with administrative rights
  • Under settings, validate the presence of the VBR console and Powershell module
  • Enter the credentials of the VBR
  • Select a linux scanner from the list of servers in the VBR or specify an external one
  • Test and save the configuration
  • Configure settings for email notifications (optional)
  • Select server, disk and restore point of which to scan (multiple selections can be made by adding scan “queue”)
  • Perform the backup mount operation and select an engine for the scan
  • Analyze or export the generated results

Features Summary

  • Integration with Veeam Data Integration API
  • Integration with Security Scanner Trivy and Grype
  • Automatic installation and update of definitions
  • Granular selection of backups
  • Use of a managed or external VBR linux server for scanning
  • Dashboard with vulnerability and severity trends
  • Vulnerability list synchronized with Nist NVD and Github Advisory database
  • CVE check contained in the CISA Known Exploited Vulnerabilities catalog
  • Status tracking of detected vulnerabilities
  • Ability to filter detected vulnerabilities by severity, status, server name, etc.
  • Export of results to CVS/HTML
  • Email notifications
  • Connection status

Conclusion

The tool is very simple to setup and use, the graphics is minimal but attractive. This version only supports scanning Linux machines on VMware, but there will be improvements for sure in the next releases.

Obviously, it is not to be considered as something to prevent security incidents or to be used as a replacement for the more classic vulnerability assessment tools on live production systems.
Instead, it can be categorized, alongside the malware detection features already included in the latest versions of Veeam such as Antivirus/YARA Scan and Veeam Threat Hunter, as an extra weapon to perform additional checks on our last barrier of defense, the backup data.

Enjoy! đź’š

Veeam Decoy Project

Let’s start from the beginning: security and backup.

Today, unfortunately, ransowmare attacks are on the rise, and defending against them is an increasingly difficult challenge.

If backups used to be considered as something not really important, perhaps useful only in case of any storage damage, today they have become the last resort to keep our data safe.

For this reason, one of the main targets during a cyber attack is the backup infrastructure: if threath actors succeed in taking it down, the road to ransom payment will be straight downhill.

News of collaborations and product integrations between large data protection and security vendors are now a daily occurrence, most recently the one between Veeam and Palo Alto Network Cortex XSIAM/XSOAR.

All this brings home to us how important it is to focus on the security of all systems, including backup infrastructure.

One of the several best practices recommended by Veeam, for example, is to try to make its components as anonymous as possible.

Assigning backup servers and repositories a name that cannot be identified with their role can be a first attempt to avoid making just about everything so easy for any malicious attackers.

Another method for attempting to identify and perhaps slow down an ongoing attack is to use honeypots: traps, decoys used to attract threat actors and draw them out.

The honeypot is a component that simulates the production system, possibly with the same applications, but with data that is not real.

In the case of Veeam Data Platform, the idea might be to create a VBR server that acts as a honeypot, perhaps even equipped with working backups.

Of course, this might require a not inconsiderable effort, because we would have to use sacrifiable, non-production systems, with the only purpose of attracting malicious attackers and having our anomaly detection software detect instrusion or tampering attempts on the honeypot.

A more simple option is the one developed by the open source Veeam Decoy project.

This system simulates multiple Veeam and Windows services, such as Veeam Backup Server services, Veeam Hardened Repository, Veeam Windows Repository, Veeam Backup Enterprise Manager, SSH, RDP, Netbios.

It supports the use of multiple network cards, so each service can be associated with a specific VLAN, so it is ready for a realistic attack scenarios using lateral movement tactics (TA0008).

The system doesn’t receive any incoming traffic, so any connection attributable to the use of discovery tactics (TA0007) should represent an intrusion attempt.

This tool can be downloaded as an OVA appliance (compatible only with vSphere 8.0 or higher) or installed on a minimal Rocky Linux.

The console comes with a very simple yet comprehensive interface where we can manage the status of decoy services, associated network interfaces, and view real-time ports in use and connection logs on each specific service.

All captured connection attempts, including information such as source port, source ip, or credentials used, can be turned over to a centralized syslog or via email, so that alerting can be triggered and readily handled by a SOC.

Of course, we do not expect it to be our most effective weapon against cyber attacks, but in this battle between the two worlds it is still one more option! đź’š

CrowdStrike – Global Incident

Last Friday, July 19, the popular U.S. software company CrowdStrike caused a worldwide crash of Windows-based computers, impacting critical systems in banks, hospitals, transportation..resulting in a temporary disruption of daily operations.

The cause? An incorrect update of the Falcon Sensor AV/EDR platform, released as a configuration update at 04:09 UTC, which resulted in triggering a logical error on the OS resulting in a BSOD:

The content is a channel file located in the %WINDIR%\System32\drivers\CrowdStrike directory.

Channel file “C-00000291*.sys” with timestamp of 2024-07-19 0527 UTC or later is the reverted (good) version.

Channel file “C-00000291*.sys” with timestamp of 2024-07-19 0409 UTC is the problematic version.


The company subsequently released a procedure for identifying affected Windows clients, as well as a remediation plan, advising to perform a reboot and acquire the correct version of the file, on alternatively follow Microsoft’s procedure to enter safe mode and delete the affected file, or alternatively restore the system (beware of any Bitlocker Key present).

EDIT: an official recovery tool has also been released by Microsoft to automate the remediation process.

The problem has impacted not only physical PCs, but also Windows instances in the cloud. Below are some official links for remediation, such as Azure and AWS.

In any case, if the problem instances are protected with backup software, it is always possible to restore to the latest valid version.

This event reminds us of how today’s world is extremely technology-driven, and of the possible human errors that, if not limited, can lead to disastrous consequences.

Veeam ONE 12.1 – Threat Center

Veeam ONE is Veeam software’s solution for monitoring virtual environments, such as vSphere, Vmware Cloud Director, Hyper-V, and data protection environments, such as Veeam Backup and Replication and Veeam Backup for Office 365.

As mentioned in a previous post, the latest VONE 12.1 release introduced the Veeam Threat Center dashboard: this tool allows us to view the overall security status of our VBRs, verifying compliance with the various best practices indicated by Veeam.

Specifically, the widgets we find are:

  • Data Platform Scorecard: shows an overall score of the health of our VBRs, defined by the parameters Platform Security Compliance, Data Recovery Health, Data Protection Status and Backup Immutability Status
  • Malware Detections: shows any malware or suspicious infections on our restore points
  • RPO Anomalies: shows objects that are out of range from the defined RPO
  • SLA Compliance Overview: highlights the percentage of achievement of our SLAs based on a period and success rate defined in the widget configuration

In order to take advantage of the potential of this dashboard, we must first add our VBR, making sure to also check the “Provide access to embedded dashboards” checkbox

Before configuration, within the VBR console the integration will not be active:

After configuration, the dashboard will be populated with the Veeam Threat Center view of Veeam ONE and other useful widgets.

Tip: when adding a VBR, pay attention to the compatibility of the licenses of the two products

https://helpcenter.veeam.com/docs/one/deployment/license_types.html?ver=120#compatibility-with-veeam-backup—replication-licenses

Enjoy! đź’š

Linux xz library vulnerability

Last Friday, a major vulnerability was reported on the xz library, used by some Linux distributions as a data compression program.

Specifically, the source code on Github was infected with malicious code properly obfuscated, allowing attackers to create a backdoor for ssh access to infected systems.

The CVE is currently listed by NIST with criticality 10.0, which is highest:

https://nvd.nist.gov/vuln/detail/CVE-2024-3094

The vulnerability, discovered almost accidentally by a Microsoft developer, is present in versions 5.6.0 – 5.6.1

Therefore, it is recommended to downgrade the xz library version on systems with this release, or to uninstall it if not in use.

Below is also the official note from Red Hat:

https://access.redhat.com/security/cve/CVE-2024-3094

Veeam 11a Patch – EOS

As you may know, as of March 1, 2024, several outdated versions of Veeam products have gone into EOS (End of Support).

Examples of the most used products include Veeam B&R 11 and Veeam ONE 11:

To see the full list of Veeam product lifecycle visit the following link:

https://www.veeam.com/product-lifecycle.html

This week, a little surprisingly, a cumulative patch for Veeam Backup & Replication V11a was released:

https://www.veeam.com/kb4245

This update comes especially to those customers who due to usage requirements need to maintain compatibility with older hypervisors ( for example VMware vSphere/Esxi 5.5).

The patch contains some product fixes, and also some security fixes of third-party components included in the software, such as VDDK, OpenSSL, liblz4, zlib and Putty:

https://www.veeam.com/kb4245

Important note: If you decide to install this patch, you will no longer be able to upgrade to V12.1, but will have to wait for the release of the next minor update V12.2 (expected in the second half of 2024).

So if you are at V11 and have no compatibility issues with the rest of the infrastructure, the advice is to upgrade to the latest V12.1 version, taking advantage of the many added features immediately.

Below is one last link that may be useful when planning upgrades, the upgrade-path link for Veeam B&R.

https://www.veeam.com/kb2053

Enjoy! đź’š

Veeam v12.1 – Security and Compliance Analyzer

In a previous post, we went to explore the new and more interesting features of Veeam B&R version 12.1.

In this post we will go into more detail about the tool that allows us to keep an eye on the status of our backup infrastructure: the Security and Compliance Analyzer.

INTRODUCTION

When we design and implement our backup infrastructures, paying attention to security rules is now a must.

There are a number of general considerations that help us harden our servers, as well as many best practices that should be applied to our backups.

The new Security and Compliance Analyzer tool allows us to have just such a simple and intuitive overview of the implementation of these best practices on our backup server.

Let’s go through its functionality in detail.

THE TOOL

Access to the tool is clearly visible in the main bar of the Veeam Console:

As anticipated earlier, the checks are divided into two sections, “Backup Infrastructure Security” and “Product Configuration“.

BACKUP INFRASTRUCTURE SECURITY

As we can see, it is concerned with checking the implementation of certain best practices defined for the Windows operating system hosting our backup server.

  • The first settings that are recommended are to disable those services that are considered critical because they allow remote interaction with our server, which are “Remote Desktop,” “Remote Registry” and “Windows Remote Management“.

  • Then we move on to the rarely considered Windows Firewall: the best practice is to keep it active always, going to work with the inbound and outbound rules as needed. Note: Veeam B&R automatically creates the firewall rules necessary for its components to communicate with each other.

  • It is then recommended to disable the “WDigest credentials caching” and “Web Proxy Auto-Discovery service” features to prevent credential or MITM-type attacks.

  • The next check is on deprecated versions of SSL and TLS, such as SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1, which should also be disabled.

  • As for potential script-based malware attacks, good practice is trying to limit them by disabling the “Windows Script Host“.

  • Returning to deprecated protocols, SMBv1 is also among those to be disabled, as it is affected by numerous vulnerabilities. Note: As of Windows Server 2016, it is disabled by default.
  • The last protocol to be disabled is the “Link-Local Multicast Name Resolution” to limit spoofing and MITM attacks.

  • Finally, security on the SMBv3 protocol is tested, checking that settings to prevent NTLMv2 relay type attacks are enabled.

PRODUCT CONFIGURATION

We now move on to controls on the software-side settings.

The strategies and configurations that Veeam recommends are obviously focused on preserving our backups.

  • MFA for the VBR console: since v12, multi-factor authentication can be enabled on the backup console.

  • Immutable or offline media: to protect backup files, we recommend using at least one repository with the data immutability feature enabled or media that can be disconnected from the network, such as tape or rotated drives.

  • Password loss protection: a setting in Veeam Enterprise Manager that allows us to decrypt our backup data in case the encryption password is lost.

  • Domain or non-domain?: Veeam recommends that we leave our server, and the other infrastructure components, at Workgroup. Note: In case we want to use join with AD, it is good practice to create a management domain dedicated exclusively to the backup environment.

  • Email notification: always remember to enable email notifications, it is essential to keep track of the outcome of backups and other events happening in the system.

  • 3-2-1 rule: the golden rule advises us to have at least 3 copies of the data (including the original data, so two backup copies), on at least 2 different media and 1 offsite copy. Note: The rule has now evolved into 3-2-1-1-0, where the second 1 is the offline/immutable copy, and the 0 indicates the need to implement an automated validation procedure for our backups, and error-free during verification testing.
  • Reverse Incremental: is the method that produces more read and write operations on our repository, to be abandoned in favour of the standard incremental.

  • Unknown Linux servers: in case we need to add linux servers to our backup infrastructure, it is recommended to trust them manually rather than automatically.

  • Configuration Backup: as a best practice, the configuration backup should be saved to a repository external to the backup server itself. Note: from v12.1 you can select an immutable object storage repository for this task as well.

  • Proxy traffic encryption: if our virtual proxies use network transport mode, encryption (NBDSSL) is recommended.

  • Physical Hardened repository: to reduce the attack surface, the hardened type repository should reside on a physical server (and with local disks) instead of a virtual one.

  • Network traffic encryption: to enable secure communication in our backup network, both to the Internet and to private networks, it is recommended to globally enable encryption in the general software settings.
  • Linux authentication: best practice recommends that we do not use password-based authentication for our linux servers, but enter SSH through the use of the public-private key pair, preventing brute force and MITM type attacks.

  • Backup services: it is recommended to use “Local System” as the account for our Veeam services.

  • Configuration backup encryption: it is recommended to use encryption on Veeam’s configuration backup as well, for more secure management of sensitive data in the DB.

  • Password rotation: control is over the credentials of the various components added to our backup infrastructure and the encryption password, which should be changed at least once a year.

  • Hardened repository access: as a best practice, SSH on this type of repository should be disabled.

  • S3 object lock type: this check verifies that the immutability set on the S3s added on Veeam is Compliance type (not editable) and not Governance type (editable), going against any policies on data handling (e.g., GDPR) and of course the security of effective immutability of backups.

  • Backup encryption: especially if our backups are saved to a cloud repository, it is a good idea to enable encryption at the individual job level.

  • Latest updates: it is recommended to keep the Veeam B&R software updated to the latest release/patch.

IMPLEMENTATION

To facilitate the implementation of most of these best practices, Veeam has provided on its KBs a powershell script that fixes all 11 points related to backup infrastructure and 2 points related to product infrastructure, while the settings that need custom setups (such as, for example, setting up our mail server, choosing a repository, users for which to enable MFA, etc.) are obviously in the hands of the backup administrator to be configured manually.

Below is the link to download the script: https://www.veeam.com/kb4525

USE

The tool can be used both interactively and automatically.

It is possible, in fact, to set up a report with daily scheduling and emailing.

Finally, it is also possible to exclude one or more parameters from the controls by marking them as “suppressed“.

CONCLUSION

We will never tire of repeating how important security is, especially for backups, which are our last defense against loss or corruption of our data. This improved tool is a good starting point to help us keep things under control.

We conclude the post by reposting other useful links regarding security and best practices, with the hope that the Security and Compliance Analyzer will also be increasingly developed and improved according to the evolving guidelines.

https://helpcenter.veeam.com/docs/backup/vsphere/security_guidelines.html?ver=120

https://bp.veeam.com/security

https://go.veeam.com/rs/870-LBG-312/images/veeam-security-checklist.pdf

https://go.veeam.com/rs/870-LBG-312/images/veeam-security-best-practices-2022.pdf

https://community.veeam.com/cyber-security-space-95/hardening-veeam-12-server-the-definitive-checklist-4255

Enjoy! đź’š