News You Might’ve Missed. 02 – 06 Nov

What's new this week in the news for MSPs? Public registry plans for Docker container images by Amazon Web Services; new ransomware RegretLocker targets Windows virtual machines; phishing attack results in a loss of $2.3 million for US Republican Party; Mattel the target in a ransomware attack; and Maze ransomware closes operations and denies making a cartel.

Let's see what it's all about.

Public Registry Plans for Docker Container Images by Amazon Web Services

In response to Docker Inc. imposing pull rate limits on its Docker Hub site, Amazon Web Services plans to launch its own public container image registry. AWS has advised their customers on how to protect their application deployments on a recent blog.

Docker Hub is a public repository of container images that companies use to host components of their cloud-based applications. Most developers don’t create containers for the typical applications they use, such as MySQL or Apache Web Server. Instead, they pull one from Docker Hub or some other repository to start running it quickly.

Generally, the production software chain process includes downloading a popular container image and briefly running it before deleting it. If developers need to use an app again, they merely repeat the process.

Docker says they are struggling with about 1% of users causing an “outsized impact.” The only solution they have come up with is to impose pull rate limits to prevent them from hogging their bandwidth.

Amazon suggests a short-term solution of copying images that clients rely on frequently to the Amazon Elastic Container Registry or some other registry, or buying a paid subscription to Docker Hub. In this way, they can avoid the rate-limiting for now. AWS says it plans to offer an Amazon public registry as an alternative for its clients.

New Ransomware RegretLocker Targets Windows Virtual Machines

RegretLocker is a new sophisticated form of ransomware. It uses advanced techniques to encrypt virtual machines. BleepingComputer says the ransomware was first noticed in October and specifically targets Windows-based virtual machines.

The ransomware mounts a virtual disk file to encrypt each of its files, which is an intriguing technique. To mount virtual disks, RegretLocker employs specific functions such as Windows AttachVirtualDisk, Virtual Storage API OpenVirtualDisk, and GetVirtualDiskPhysicalPath. These functions mount the virtual disks for encryption, which speeds up the process.

It also uses the Windows Restart Manager API to end services or Windows processes that keep files active during encryption.

RegretLocker isn’t currently widespread, even though it has been detected as being active.

Phishing Attack Results in a Loss of $2.3 Million for Wisconsin Republicans

Hackers targeting the Republican Party in Wisconsin got away with $2.3 million after launching a phishing attack.

The attack was found on October 22nd. The cybercriminals behind the attack collected the money using fake invoices. When the invoices were paid, the alterations used redirected the funds to the hackers, instead of to the actual listed vendors.

On Friday, October 23rd, the US Federal Bureau of Investigation (FBI) was informed of the activity. The FBI has since begun an investigation into the theft of funds. According to a report on Wednesday by Associated Press, the funds were meant for President Donald Trump’s re-election campaign.

It is uncertain at this point if the theft was politically motivated or a theft of opportunity.

Mattel the Target in a Ransomware Attack

The renowned toymaker behind the Barbie doll announced that it had been the target of a ransomware attack which it successfully evaded.

According to their filing with the US Securities and Exchange Committee (SEC), the discovery of the attack came on July 28th. Mattel says the attack caused many of their systems to be encrypted. They haven't yet said which ransomware was involved.

Once the attack was detected, Mattel began taking a series of steps in accordance with the response protocols they have in place. These steps stopped the attack and let them restore the affected systems.

Mattel says that a forensic investigation didn’t find evidence that the attackers had stolen any sensitive business data, consumer, retail customer, supplier, or employee data. The firm also says that no material impact on its operations or finances occurred due to the attack.

According to experts, who are hoping that Mattel shares more details soon, it’s uncommon to hear a success story such as this.

Maze Ransomware Closes Operations and Denies Making a Cartel

Recently BleepingComputer shared a report that, since mid-September, Maze had ceased encrypting new victims. They also noted a cleanup of their data leak site, and they were extorting their last victims.

According to a press release from the group entitled "The Project is closed," they have ended their ransomware operations. What’s more, the group’s release says that they never had partners or any official successors. The announcement also suggests that victims should contact them in order to have their private data removed from their data leak site.

Experts suggest that ransomware groups rarely delete stolen data entirely. They recommend that companies that are victims of Maze shouldn’t contact them based on their statements.

BleepingComputer has learned that some of Maze’s affiliates have moved to Egregor, a new ransomware operation.

That's a Wrap for News You Might've Missed

I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back every week for more highlights.