Alleged LLMjacking Targets AI Cloud Services with Stolen Credentials

The Sysdig Threat Research Team discovered a new attack called 'LLMjacking' where cybercriminals used stolen cloud credentials to target ten cloud-hosted large language model services. The attackers initially gained access through a vulnerable Laravel system (CVE-2021-3129), then exfiltrated cloud credentials to access cloud environments hosting LLM models, specifically targeting a local Claude (v2/v3) model from Anthropic on AWS Bedrock. The attackers used automated scripts to check credentials across AI21 Labs, Anthropic, AWS Bedrock, Azure, ElevenLabs, MakerSuite, Mistral, OpenAI, OpenRouter, and GCP Vertex AI. They employed techniques like intentionally triggering validation errors to confirm model access without immediate detection, querying logging configurations to avoid monitoring, and using reverse proxy servers to sell access to other cybercriminals. The attack volume increased significantly, with over 85,000 requests detected in July 2024 alone, including 61,000 requests in a single three-hour window. Attackers were observed using the stolen access for various purposes including bypassing sanctions (particularly by Russian users), role-playing conversations, image analysis, and selling access to banned users. If undiscovered, such attacks could result in over $46,000 in LLM consumption costs per day for victims using Claude 2.x, with costs potentially reaching over $100,000 daily for newer models like Claude 3 Opus.