Google on Wednesday shed light on a financially motivated threat actor by name TRIPLE POWER for opportunistically targeting cloud environments for cryptojacking and local ransomware attacks.
“This actor engaged in a variety of threats, including cryptocurrency mining operations on compromised cloud resources and ransomware,” the tech giant’s cloud division said in a statement. 11th Threat Horizons Report.
TRIPLESTRENGTH engages in a trio of malicious attacks including illegal cryptocurrency mining, ransomware and extortion, and advertising access to various cloud platforms including Google Cloud, Amazon Web Services, Microsoft Azure, Linode, OVHCloud and Digital Ocean to other entities threats.
Initial access to target cloud instances is facilitated using stolen credentials and cookies, some of which originate from Raccoon information stealer infection logs. The hacked environments are then used to generate computing resources for cryptocurrency mining.
Later versions of the campaign were found to use high-privilege accounts to invite accounts controlled by the attacker as payment contacts in the victim’s cloud project in order to generate large computing resources for mining.
Cryptocurrency mining is done using the unMiner app along with the unMineable mining pool, using CPU and GPU optimized mining algorithms depending on the target system.
Perhaps somewhat unusually, TRIPLESTRENGTH’s ransomware deployment operations have focused on on-premise resources rather than cloud infrastructure, using lockers such as Phobos, RCRU64and LokiLocker.
“On hacking-focused Telegram channels, actors associated with TRIPLESTRENGTH advertised RCRU64 ransomware as a service and solicited partners to cooperate in extortion and blackmail operations,” Google Cloud reported.
In one RCRU64 ransomware incident in May 2024, threat actors are said to have initially gained access via Remote Desktop Protocol, then performed lateral movement and evasion of antivirus protection to run the ransomware on multiple hosts.
TRIPLESTRENGTH was also seen regularly advertising on Telegram for access to hacked servers, including those owned by hosting providers and cloud platforms.
Google said it has taken steps to counter these practices, implementing multi-factor authentication (MFA) to prevent the risk of account hijacking and deploying enhanced logging to flag sensitive billing activities.
“A single stolen account can set off a chain reaction, giving attackers access to applications and data, both on-premises and in the cloud,” the tech giant said.
“This access can then be used to compromise infrastructure using remote access services, manipulate MFA and establish a trusted presence for subsequent social engineering attacks.”
