Google on Wednesday shed light on a financially motivated threat actor named TRIPLESTRENGTH for its opportunistic targeting of cloud environments for cryptojacking and on-premise ransomware attacks.
“This actor engaged in a variety of threat activity, including cryptocurrency mining operations on hijacked cloud resources and ransomware activity,” the tech giant’s cloud division said in its 11th Threat Horizons Report.
TRIPLESTRENGTH engages in a trifecta of malicious attacks, including illicit cryptocurrency mining, ransomware and extortion, and advertising access to various cloud platforms, including Google Cloud, Amazon Web Services, Microsoft Azure, Linode, OVHCloud, and Digital Ocean to other threat actors.
Initial access to target cloud instances is facilitated by means of stolen credentials and cookies, some of which originate from Raccoon information stealer infection logs. The hijacked environments are then abused to create compute resources for mining cryptocurrencies.
Subsequent versions of the campaign have been found to leverage highly privileged accounts to invite attacker-controlled accounts as billing contacts on the victim’s cloud project in order to set up large compute resources for mining purposes.
The cryptocurrency mining is carried out by using the unMiner application alongside the unMineable mining pool, with both CPU- and GPU-optimized mining algorithms employed depending on the target system.
Perhaps somewhat unusually, TRIPLESTRENGTH’s ransomware deployment operations have been focused on on-premises resources, rather than cloud infrastructure, employing lockers such as Phobos, RCRU64, and LokiLocker.
“In Telegram channels focused on hacking, actors linked to TRIPLESTRENGTH have posted advertisements for RCRU64 ransomware-as-a-service and also solicited partners to collaborate in ransomware and blackmail operations,” Google Cloud said.
In one RCRU64 ransomware incident in May 2024, the threat actors are said to have gained initial access via remote desktop protocol, followed by performing lateral movement and antivirus defense evasion steps to execute the ransomware on several hosts.
TRIPLESTRENGTH has also been observed routinely advertising access to compromised servers, including those belonging to hosting providers and cloud platforms, on Telegram.
Google said it has taken steps to counter these activities by enforcing multi-factor authentication (MFA) to prevent the risk of account takeover and rolling out improved logging to flag sensitive billing actions.
“A single stolen credential can initiate a chain reaction, granting attackers access to applications and data, both on-premises and in the cloud,” the tech giant said.
“This access can be further exploited to compromise infrastructure through remote access services, manipulate MFA, and establish a trusted presence for subsequent social engineering attacks.”
