Report: Hackers Target Misconfigured Proxies To Access Paid Llm Services

Threat actors are systematically hunting for misconfigured proxy servers that could provide access to commercial large language model (LLM) services.

In an ongoing campaign that started in late December, the attackers have probed more than 73 LLM endpoints and generated over 80,000 sessions.

According to threat monitoring platform GreyNoise, the threat actors use low-noise prompts to query endpoints in an attempt to determine the accessed AI model without triggering a security alert.

GreyNoise says in a report that over the past four months, its Ollama honeypot caught a total of 91,403 attacks that are part of two distinct campaigns.

One operation started in October and is still active, with a spike of 1,688 sessions over 48 hours around Christmas. It exploits server-side request forgery (SSRF) vulnerabilities that allow the actor to force a server to connect to an attacker-controlled external infrastructure.

According to the researchers, the attacker behind this operation achieved its goals by using Ollama's model pull functionality to inject malicious registry URLs and Twilio SMS webhook integrations through the MediaURL parameter.

However, based on the tools used, GreyNoise points out that the activity likely originates from security researchers or bug bounty hunters, as they used ProjectDiscovery's OAST (Out-of-band Application Security Testing) infrastructure, which is typically used in vulnerability assessments.

"OAST callbacks are standard vulnerability research techniques. But the scale and Christmas timing suggest grey-hat operations pushing boundaries" - GreyNoise

Telemetry data revealed that the campaign originated from 62 IP addresses across 27 countries that exhibit VPS-like characteristics rather than signs of botnet operation.

GreyNoise observed a second campaign starting on December 28 and detected a high-volume enumeration effort to identify exposed or misconfigured LLM endpoints.

Source: BleepingComputer