New ‘LLMjacking’ Attack Exploits Stolen Cloud Credentials
A recent study conducted by the Sysdig Threat Research Team (TRT) has shed light on a novel cyber attack dubbed “LLMjacking,” which exploits stolen cloud credentials to target cloud-hosted large language model (LLM) services.
The attackers gained access to these credentials from a vulnerable version of Laravel (CVE-2021-3129), according to a blog post published on May 6.
Unlike previous discussions surrounding LLM-based Artificial Intelligence (AI) systems, which focused on prompt abuse and altering training data, this attack aimed to sell LLM access to other cyber-criminals while the legitimate cloud account owner incurred the costs.
“Attackers are finding more ways to exploit AI models than we initially expected. This finding is proof, yet again, that attackers are innovative — it’s evidence that they don’t just want the data you’re feeding into LLMs, they also want access to your LLMs,” Crystal Morin, cybersecurity strategist at Sysdig, told Infosecurity.
In this instance, the attackers exfiltrated cloud credentials to gain access to the cloud environment, where they targeted local LLM models hosted by cloud providers. For instance, they targeted a local Claude (v2/v3) LLM model from Anthropic, which, if left undetected, could result in over $46,000 of LLM consumption costs per day for the victim.
“LLM use is costly. Attackers may consume LLM resources — asking questions and receiving answers — on your dime for all kinds of reasons. They could be asking questions in an attempt to pull your sensitive data out, to develop malicious code or to find vulnerabilities. The options, at this point, are endless,” Morin added.
The researchers also uncovered evidence of a reverse proxy being used to access compromised accounts. Moreover, the attackers demonstrated interest in accessing LLM models across different services, utilizing tools to check credentials for ten different AI services, including AWS Bedrock, Azure and GCP Vertex AI, among others.
“Attackers know that LLMs and their data are of interest to others,” Morin concluded. “If they can just sell access to it, why would they bother sorting through all the data themselves?”
To mitigate such attacks, Sysdig recommended implementing vulnerability and secrets management practices, along with Cloud Security Posture Management (CSPM) or Cloud Infrastructure Entitlement Management (CIEM) solutions, to minimize permissions and prevent unauthorized access.