Jan 23, 2025Ravie LakshmananCloud Security / Cryptojacking
Google released information on a financially motivated risk actor named TripleStrENGTH on Wednesday for its greedy targeting of fog environments for cybercrime and on-premise ransomware attacks.
The tech giant’s cloud division stated in its that” this professional engaged in a variety of risk action, including crypto mining operations on hijacked sky resources and ransom action.”
TRIPLESTRENGTH engages in a combination of malignant attacks, including unlawful crypto mine, ransom and blackmail, and advertising access to various cloud platforms, such as Google Cloud, Amazon Web Services, Microsoft Azure, Linode, OVHCloud, and Digital Ocean, to another threat actors.
First access to the target cloud instances is made simpler by seized credentials and cookies, some of which are generated by info stealer infection logs. The compromised environments are then used to devalue derive resources for cryptocurrencies mine.
In addition, it has been discovered that attacker-controlled accounts were tapped into the victim’s fog project to set up huge compute resources for mining purposes in later versions of the campaign.
UnMiner is used to mine bitcoin alongside the unMineable mine pool, with both CPU- and GPU-optimized miners algorithms being used, depending on the goal system.
Maybe somewhat unusually, TRIPLESTRENGTH’s malware deployment procedures have been focused on on-premises resources, more than sky system, employing lockers such as , , and .
” In Telegram programs focused on hackers, players linked to TRIPLESTRENGTH have posted advertisements for RCRU64 ransomware-as-a-service and also solicited associates to work in ransom and extortion functions”, Google Cloud said.
The threat actors are said to have gained initial access to a RCRU64 ransomware in a May 2024 incident by using remote desktop protocol, followed by performing lateral movement and antivirus defense evasion steps to put the ransomware to use on a number of hosts.
On Telegram, TRIPLESTRENGTH has also been observed frequently advertising access to compromised servers, including those from hosting providers and cloud platforms.
Google announced that it has implemented improved logging to flag sensitive billing actions and enforced multi-factor authentication ( MFA ) to reduce the risk of account takeover.
” A single stolen credential can initiate a chain reaction, granting attackers access to applications and data, both on-premises and in the cloud”, the tech giant said.
” This access can be further exploited to compromise infrastructure through remote access services, manipulate MFA, and establish a trusted presence for upcoming social engineering attacks,” says the author.
Found this article interesting? Follow us on and Twitter to access more exclusive content.