Summary: Google’s Threat Analysis Group has revealed the existence of the TRIPLESTRENGTH threat actor group, which has been active since 2020. The group employs a dual strategy of ransomware attacks and illicit cryptocurrency mining, primarily targeting major cloud service providers while maintaining a presence on hacker forums. Their operations, characterized by a lack of sophisticated techniques, have resulted in significant financial impacts on victim organizations.
Affected: Cloud service providers (Google Cloud, Amazon Web Services, Microsoft Azure, Linode, OVHCloud, and Digital Ocean)
Keypoints :
- TRIPLESTRENGTH combines ransomware deployment with the control of cloud accounts for cryptocurrency mining.
- Unlike typical cybercriminals, the group focuses exclusively on encryption without engaging in data theft or leaks.
- Their tactics involve simple brute-force attacks to access remote desktop servers, followed by lateral movement within networks.
- Notable attacks include a May 2024 incident where they deployed RCRU64 after accessing an RDP server.
- Despite limited individual profits, their impact on victims can lead to inflated cloud service bills, potentially costing organizations hundreds of thousands of dollars.
- Over 600 cryptocurrency transactions linked to their activities indicate a surge in their operations.
Source: https://securityonline.info/triplestrength-threat-actor-group-ransomware-mining-and-server-hacks/