Cybercrime gang targets victims with "triple threat" attacks

News
By published

As if the encryptor wasn't enough

A person at a laptop with a cybersecure lock symbol floating above it.
(Image credit: Shutterstock / laymanzoom)
  • Security researchers spotted a new threat actor called Triplestrength
  • The group engages in ransomware, cloud compromise, and cryptomining
  • There are potentially hundreds of victims

A small and relatively unknown hacking group has started drawing attention to itself by engaging in somewhat unusual "triple threat" cyberattacks.

Researchers from Google recently discovered Triplestrength, possibly a small threat actor with only a handful of individuals, which has been around since 2020, although Google’s researchers have been tracking it since 2023.

What makes this group stand out is the fact that besides ransomware, it is also hijacking victim cloud accounts and using them to deploy cryptominers. The group started with ransomware in 2020, and added the crypto-mining part two years later.

Brute force

For ransomware, Google further explains, the group mostly targets on-prem systems. For cryptomining, it targets cloud infrastructure from Google Cloud, AWS, Microsoft Azure, Linode, and more.

Triplestrength doesn’t seem to be state-sponsored and instead seems to be motivated by pure profit - looking to gain money from both ransom payments and unauthorized cloud computing.

Initial access is mostly done through brute-force attacks on remote desktop servers, or via stolen credentials. Once the target endpoints are compromised, Triplestrength deploys malware including Phobos, LokiLocker, RCRU64, or Raccoon infostealer. For cryptomining, the group mostly uses unMiner. Interestingly enough, there was no mention of XMRig, by far the most popular cryptojacker out there.

Speaking to The Register, the researchers did not want to say exactly how many victims Triplestrength struck in the past four years, but they did stress they, "identified numerous TRX cryptocurrency addresses that we believe are associated with Triplestrength."

"And at last count, which is now months outdated, there were over 600 payments to these addresses," they told the publication. "That at least gives you some idea of the volume of mining activity that they're likely conducting."

In other words, there are hundreds of compromised cloud instances out there, and thus possibly hundreds of ransomware victims, as well.

Via The Register

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.