Cybercrime gang targets victims with "triple threat" attacks

A person at a laptop with a cybersecure lock symbol floating above it.

(Image credit: Shutterstock / laymanzoom)

Security researchers spotted a new threat actor called Triplestrength
The group engages in ransomware, cloud compromise, and cryptomining
There are potentially hundreds of victims

A small and relatively unknown hacking group has started drawing attention to itself by engaging in somewhat unusual "triple threat" cyberattacks.

Researchers from Google recently discovered Triplestrength, possibly a small threat actor with only a handful of individuals, which has been around since 2020, although Google’s researchers have been tracking it since 2023.

What makes this group stand out is the fact that besides ransomware, it is also hijacking victim cloud accounts and using them to deploy cryptominers. The group started with ransomware in 2020, and added the crypto-mining part two years later.

Brute force

For ransomware, Google further explains, the group mostly targets on-prem systems. For cryptomining, it targets cloud infrastructure from Google Cloud, AWS, Microsoft Azure, Linode, and more.

Triplestrength doesn’t seem to be state-sponsored and instead seems to be motivated by pure profit - looking to gain money from both ransom payments and unauthorized cloud computing.

Initial access is mostly done through brute-force attacks on remote desktop servers, or via stolen credentials. Once the target endpoints are compromised, Triplestrength deploys malware including Phobos, LokiLocker, RCRU64, or Raccoon infostealer. For cryptomining, the group mostly uses unMiner. Interestingly enough, there was no mention of XMRig, by far the most popular cryptojacker out there.

Speaking to The Register, the researchers did not want to say exactly how many victims Triplestrength struck in the past four years, but they did stress they, "identified numerous TRX cryptocurrency addresses that we believe are associated with Triplestrength."

"And at last count, which is now months outdated, there were over 600 payments to these addresses," they told the publication. "That at least gives you some idea of the volume of mining activity that they're likely conducting."

In other words, there are hundreds of compromised cloud instances out there, and thus possibly hundreds of ransomware victims, as well.

Via The Register

Docker instances targeted in major cryptojacking scam
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.