New 'LLMjacking' Attack Exploits Stolen Cloud Credentials

The Sysdig Threat Research Team recently conducted a study on a new cyber attack termed “LLMjacking”, which specifically targets cloud-hosted large language model services by exploiting stolen cloud credentials. These credentials were obtained from a vulnerable version of Laravel (CVE-2021-3120). What makes LLMjacking unique is its focus on selling LLM access to other cybercriminals while the legitimate cloud account owner bears the associated costs. This strategy diverges from previous discussions on LLM-based Artificial Intelligence systems, which mainly centered around prompt abuse and altering training data.

The study revealed that attackers exfiltrated cloud credentials to gain access to the cloud environment, where they specifically targeted local LLM models. Additionally, researchers found evidence of a reverse proxy being utilized to access compromised accounts, indicating a sophisticated level of attack sophistication.

Security Officer Comments:
Researchers highlighted the attackers' innovative approach in exploiting AI models. She emphasized the significant costs associated with LLM usage and how attackers can incur expenses for victims by accessing local LLM models hosted by cloud providers. For example, targeting a local Claude (v2/v3) LLM model from Anthropic could result in over $46,000 of LLM consumption costs per day for the victim. Furthermore, the attackers demonstrated a broad interest in accessing LLM models across different services. They utilized tools to check credentials for ten different AI services, including AWS Bedrock, Azure, and GCP Vertex AI, among others. This indicates a comprehensive and systematic effort by the attackers to exploit vulnerabilities in LLM services across various platforms.

Suggested Corrections:
This attack can be prevented in a number of ways, including:

  • Vulnerability management to prevent initial access.
  • Secrets management to ensure credentials are not stored in the clear where they can be stolen.
  • CSPM/CIEM to ensure the abused account had the least amount of permissions it needed.