A threat actor dubbed TripleStrength targeted cloud and on-premise systems for crypto-jacking and deployment of ransomware. Google uncovered the financially motivated cybercriminals conducting cloud hijacking campaigns in its 11th Threat Horizons Report, which was published on Wednesday.
TripleStrength conducts malicious attacks involving illegal cryptocurrency mining, ransomware, extortion operations, and advertisement of access to several cloud platforms to other hackers. Cloud platforms include Google Cloud, Microsoft Azure, Amazon Web Services, OVHCloud and Digital Ocean.
“This actor engaged in a variety of threat activity, including cryptocurrency mining operations on hijacked cloud resources and ransomware activity,” Google’s cloud division said. The hacker leverages a part of stolen credentials and cookies from Racoon information stealer logs to gain access to cloud systems and take over cloud service accounts.
Once the actor obtained authorisation, they hijacked cloud projects for cryptocurrency mining. Google said, “TripleStrength has adapted their abuse of compromised accounts over time.” The initial campaign focused on the abuse of breached accounts to create compute resources for mining.
However, subsequent attacks exploited accounts with escalated privileges to invite attacker-controlled accounts on the target cloud project to set up large compute resources for crypto mining.
The unMiner application and unMineable mining pool were used for mining with CPU and GPU-optimised mining algorithms. The attacker was noted to keep ransomware deployment activities separate from crypto mining operations. Ransomware deployment activities targeted on-premise systems instead of cloud infrastructures using lockers such as RCRU64, Phobos and LokiLocker.
Threat actors related to TripleStrength posted advertisements on hacking-linked Telegram channels for RCRU64 ransomware-as-a-service and attempted to collaborate with other attackers in ransomware and blackmail operations.
Cybersecurity firm Mandiant linked TripleStrength to the May 2024 RCRU64 ransomware incident, in which adversaries used a remote desktop protocol to obtain access and execute ransomware on multiple hosts. They were noted to frequently advertise access to compromised servers belonging to hosting providers and cloud platforms on Telegram.
“A single stolen credential can initiate a chain reaction, granting attackers access to applications and data, both on-premises and in the cloud,” Google said. “This access can be further exploited to compromise infrastructure through remote access services, manipulate MFA, and establish a trusted presence for subsequent social engineering attacks.”
The company said it has already taken measures to counter TripleStrength’s activities by introducing multi-factor authorisation to prevent account hijacking and rolling out improved flagging to detect sensitive billing activities. Mandatory MFA would make it difficult to steal account credentials and authorise cookies while prompting users to ensure that MFA is active on their accounts.
In the News: NCLAT stays CCI restrictions on WhatsApp data sharing
