
Google’s cloud division has identified a sophisticated threat actor named TRIPLESTRENGTH, known for executing three main types of cyber attacks: cryptocurrency mining, ransomware operations, and selling unauthorized access to major cloud platforms.
The group primarily targets cloud environments, including Google Cloud, AWS, Azure, Linode, OVHCloud, and Digital Ocean, using stolen credentials and cookies obtained through Raccoon information stealer malware. Their operations involve:
Cryptocurrency Mining:
– Utilizes hijacked cloud resources
– Deploys unMiner application with unMineable mining pool
– Implements both CPU and GPU-optimized mining algorithms
– Manipulates billing contacts to establish large-scale mining operations
Ransomware Operations:
– Focuses on on-premises systems rather than cloud infrastructure
– Deploys various ransomware variants including Phobos, RCRU64, and LokiLocker
– Gains initial access through RDP
– Offers ransomware-as-a-service through Telegram channels
Access Trading:
– Sells compromised server access on Telegram
– Targets multiple cloud service providers
– Markets access to other cybercriminals
In response, Google has implemented enhanced security measures, including mandatory MFA and improved billing action monitoring. The company emphasizes that a single compromised credential can lead to extensive infrastructure damage, affecting both on-premises and cloud environments.