Cybercrime gang targets victims with "triple threat" attacks

A person at a laptop with a cybersecure lock symbol floating above it.
(Image credit: Shutterstock / laymanzoom)

  • Security researchers spotted a new threat actor called Triplestrength
  • The group engages in ransomware, cloud compromise, and cryptomining
  • There are potentially hundreds of victims

A small and relatively unknown hacking group has started drawing attention to itself by engaging in somewhat unusual "triple threat" cyberattacks.

Researchers from Google recently discovered Triplestrength, possibly a small threat actor with only a handful of individuals, which has been around since 2020, although Google’s researchers have been tracking it since 2023.

What makes this group stand out is the fact that besides ransomware, it is also hijacking victim cloud accounts and using them to deploy cryptominers. The group started with ransomware in 2020, and added the crypto-mining part two years later.

Brute force

For ransomware, Google further explains, the group mostly targets on-prem systems. For cryptomining, it targets cloud infrastructure from Google Cloud, AWS, Microsoft Azure, Linode, and more.

Triplestrength doesn’t seem to be state-sponsored and instead seems to be motivated by pure profit - looking to gain money from both ransom payments and unauthorized cloud computing.

Initial access is mostly done through brute-force attacks on remote desktop servers, or via stolen credentials. Once the target endpoints are compromised, Triplestrength deploys malware including Phobos, LokiLocker, RCRU64, or Raccoon infostealer. For cryptomining, the group mostly uses unMiner. Interestingly enough, there was no mention of XMRig, by far the most popular cryptojacker out there.

Speaking to The Register, the researchers did not want to say exactly how many victims Triplestrength struck in the past four years, but they did stress they, "identified numerous TRX cryptocurrency addresses that we believe are associated with Triplestrength."

"And at last count, which is now months outdated, there were over 600 payments to these addresses," they told the publication. "That at least gives you some idea of the volume of mining activity that they're likely conducting."

In other words, there are hundreds of compromised cloud instances out there, and thus possibly hundreds of ransomware victims, as well.

Via The Register

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
A group of 7 hackers, 6 slightly blurred in the background and one in the foreground, all wearing black with hoods pulled up over their heads. You cannot see their faces. The hacker in the foreground sits with an open laptop in front of them. The background, behind the hackers, is a Chinese flag
China government-linked hackers caught running a seriously dangerous ransomware scam
Shutterstock.com / kanlaya wanon
Microsoft Teams abused in Russian email bombing ransomware campaign
Lock on Laptop Screen
Clop ransomware lists Cleo cyberattack victims
Hands typing on a keyboard surrounded by security icons
Infostealers on the rise: the latest concern for organizational defenses
Trojan
Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
botnet
YouTubers targeted by blackmail campaign to promote malware on their channels
Latest in Security
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Oracle
Oracle denies data breach after hacker claims to hold six million records
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
Latest in News
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
A phone showing a ChatGPT app error message
ChatGPT was down for many – here's what happened
AirPods Max with USB-C in every color
Apple's AirPods Max with USB-C will get lossless audio in April, but you'll need to go wired
A woman sitting in a chair looking at a Windows 11 laptop
It looks like Microsoft might have thought better about banishing Copilot AI shortcut from Windows 11
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard