LLMjacking: Stolen Cloud Credentials Used in New AI Attack

LLMjacking is a newly observed form of cyberattack where stolen cloud credentials are used to target large language model (LLM) services hosted by cloud providers, with the intent to sell LLM access to other cybercriminals while the original cloud account owner incurs the costs. The attack was facilitated through vulnerabilities in systems like Laravel and involved accessing multiple LLM services, including AWS Bedrock and Azure, without running legitimate queries during the verification phase. By exploiting these credentials, attackers can accumulate significant charges, potentially up to $46,000 per day, while also preventing the legitimate use of these models by the compromised organization. The attack demonstrated a strategic use of seemingly legitimate API requests to test the limits of access without immediate detection, employing tools like reverse proxies to manage access across compromised accounts. Effective detection and prevention strategies include robust vulnerability management, secrets management, and detailed monitoring of cloud activities to identify suspicious behavior early and secure cloud environments from such threats.