Google unveiled a financially driven threat actor, TRIPLESTRENGTH, targeting cloud environments for cryptojacking and on-premise ransomware operations.
"This actor engaged in a variety of threat activity, including cryptocurrency mining operations on hijacked cloud resources and ransomware activity," Google Cloud noted in its 11th Threat Horizons Report.
TRIPLESTRENGTH employs a three-pronged attack strategy: unauthorized cryptocurrency mining, ransomware deployment, and offering cloud platform access—spanning services like Google Cloud, AWS, Azure, Linode, OVHCloud, and Digital Ocean—to other attackers. The group's primary entry methods involve stolen credentials and cookies, often sourced from Raccoon Stealer logs. Compromised environments are used to create compute resources for mining cryptocurrency using tools like the unMiner application and the unMineable mining pool, optimized for both CPU and GPU algorithms.
Interestingly, TRIPLESTRENGTH has concentrated its ransomware efforts on on-premises systems, deploying lockers such as Phobos, RCRU64, and LokiLocker.
"In Telegram channels focused on hacking, actors linked to TRIPLESTRENGTH have posted advertisements for RCRU64 ransomware-as-a-service and also solicited partners to collaborate in ransomware and blackmail operations," Google Cloud disclosed.
One notable incident in May 2024 involved initial access through Remote Desktop Protocol (RDP), followed by lateral movement and antivirus evasion to execute ransomware across several systems. TRIPLESTRENGTH also regularly advertises access to compromised servers on Telegram, targeting hosting providers and cloud platforms.
To counteract such threats, Google has introduced multi-factor authentication (MFA) and improved logging for detecting sensitive billing actions.
"A single stolen credential can initiate a chain reaction, granting attackers access to applications and data, both on-premises and in the cloud," Google warned.
"This access can be further exploited to compromise infrastructure through remote access services, manipulate MFA, and establish a trusted presence for subsequent social engineering attacks."
