New “LLMjacking” attack exploits stolen cloud credentials

A recent study by Sysdig Threat Research Team (TRT) has shed light on a novel cyberattack called “LLMjacking,” which exploits stolen cloud credentials to attack cloud-hosted Large Language Model (LLM) services.

According to a blog post published on May 6, the attackers gained access to these credentials via a vulnerable version of Laravel (CVE-2021-3129).

In contrast to previous discussions on LLM-based artificial intelligence (AI) systems, where the focus is on prompt abuse and altering training data, this attack aimed to sell LLM access to other cybercriminals while making the rightful owner of the cloud account bear the costs.

“Attackers are finding more ways to exploit AI models than we originally expected. This result is further proof that attackers are innovating – it’s proof that they want not just the data you feed into LLMs, but also access to your LLMs,” said Crystal Morin, cybersecurity strategist at Sysdig Information security.

In this case, the attackers captured cloud credentials to gain access to the cloud environment and targeted on-premises LLM models hosted by cloud providers. For example, they targeted Anthropic’s local Claude LLM model (v2/v3), which, if left undetected, could incur over $46,000 per day in LLM consumption costs to the victim.

“Using LLM is costly. Attackers can consume LLM resources—asking questions and receiving answers—for a variety of reasons. They could ask questions to get to your sensitive data, develop malicious code or find vulnerabilities. “The possibilities are endless right now,” Morin added.

Researchers also discovered evidence that a reverse proxy was used to access compromised accounts. Additionally, the attackers showed interest in accessing LLM models across different services and used tools to verify credentials for ten different AI services, including AWS Bedrock, Azure, and GCP Vertex AI, among others.

“Attackers know that LLMs and their data are of interest to others,” Morin concluded. “If they can just sell access to it, why should they bother sorting through all the data themselves?”

To mitigate such attacks, Sysdig recommended implementing vulnerability and secrets management procedures as well as Cloud Security Posture Management (CSPM) or Cloud Infrastructure Entitlement Management (CIEM) solutions to minimize privileges and prevent unauthorized access.

Read more about attacks exploiting CVE-2021-3129: New cloud attack targets crypto CDN meson before launch