Specialists Sysdig discovered a new attack scheme, during Which stolen accounting data to cloud services are used to access the services of cloud LLM models in order to sell access to other cybercriminals. The detected attack was aimed at the Claude (V2/V3) model from Anthropic and was called Llmjacking.
To carry out the attack, the attacker hacked the system with the vulnerable version of the Framwar Laravel (RCE-vulnerability CVE-2021-3129 with the CVSS: 9.8), after which it took possession of the Amazon Web Services (AWS) accounting data to access LLM services.
Among the tools used – an open source Python script, which checks the keys for various services from Anthropic, AWS Bedrock, Google Cloud Vertex Ai, Mistral and Openai.
The attacker used the API to verify his authority without attracting attention. For example, sending a request with the Max_ToKens_to_SAMPLE parameter installed by -1 does not cause access error, but returns the exception of “ValidationException”, which confirms the availability of the victim of access to the service. It is noted that during the audit, no requests for LLM were executed. It was enough to establish which rights have accounts.
In addition, cybercriminals used the instrument oai-reverse-proxy, which acts as a reverse proxy server for the API LLM models, which allows you to sell access to compromised accounts without disclosing the source accounting data.
The attack chain llmjacking
SYSDIG explained what deviation from traditional attacks aimed at introducing commands and “poisoning” models allows hackers to monetize access to LLM, while the owner of the cloud account pays accounts without suspecting it. According to Sysdig, such an attack can lead to the cost of LLM services more than $ 46,000 per day for the victim.
The use of LLM can be expensive, depending on the model and the number of tokens submitted to it. By maximizing quotas restrictions, attackers can also prevent the compromised organization to use models, violating business operations.
organizations are recommended to include detailed maintenance of magazines and control cloud magazines for suspicious or unauthorized activity, as well as ensure effective vulnerabilities management to prevent initial access.