LLMjacking: New Attack Steals Cloud Credentials for AI Profit
Sysdig specialists have uncovered a novel attack scheme where stolen cloud service credentials are utilized to access cloud-based LLM (Large Language Model) services, aiming to resell access to other cybercriminals. This discovered attack, dubbed LLMjacking, targeted the Claude model (v2/v3) by Anthropic.
The attacker breached a system with a vulnerable version of the Laravel framework (RCE vulnerability CVE-2021-3129, CVSS score: 9.8), subsequently gaining control of Amazon Web Services (AWS) credentials to access LLM services.
Among the tools employed was an open-source Python script that verifies keys for various services including Anthropic, AWS Bedrock, Google Cloud Vertex AI, Mistral, and OpenAI.
The attacker utilized APIs to discreetly verify their credentials. For instance, sending a request with the “max_tokens_to_sample” parameter set to -1 does not trigger an access error but returns a “ValidationException,” confirming the victim account’s access to the service. It is noted that no LLM requests were executed during verification; it was sufficient to establish the accounts’ access rights.
Furthermore, the cybercriminal used an oai-reverse-proxy tool, which acts as a reverse proxy server for the LLM model’s API, allowing them to sell access to compromised accounts without revealing the original credentials.
Sysdig explained that this deviation from traditional attacks focused on command injections and model poisoning enables hackers to monetize access to LLMs while the cloud account owner unknowingly foots the bill. According to Sysdig, such an attack could lead to LLM service costs exceeding $46,000 per day for the victim.
Utilizing LLMs can be costly, depending on the model and the number of tokens inputted. By maximizing quota restrictions, perpetrators can also prevent the compromised organization from using the models, disrupting business operations.
Organizations are advised to implement detailed logging and monitor cloud logs for suspicious or unauthorized activity, as well as ensure effective vulnerability management to prevent initial access.
