Full Report
On November 26, 2024, Wiz Threat Research identified JINX-2401, a threat actor attempting to hijack LLM models in multiple AWS environments using compromised IAM credentials. The attackers leveraged compromised IAM user keys to gain access, perform privilege escalation, and es...
Analysis Summary
# Threat Actor: JINX-2401
## Attribution & Identity
**Identification:** JINX-2401 (Identified by Wiz Threat Research).
**Aliases/Associations:** No known aliases or associated groups provided in the summary.
## Activity Summary
JINX-2401 was identified attempting to hijack LLM models deployed within multiple AWS environments starting around November 26, 2024. The overarching goal was to gain unauthorized access to and control over these generative AI resources. Although the actor achieved initial access and privilege escalation in some cases, their final objective—invoking AWS Bedrock models—was successfully thwarted primarily by existing Service Control Policies (SCPs).
## Tactics, Techniques & Procedures
- **Initial Access:** Leveraged compromised IAM user access keys (AKIA).
- **Privilege Escalation:** Gained elevated permissions, reportedly achieving Administrator Access in at least one probed environment.
- **Persistence/Establishment:** Created new IAM users specifically with policies granting access to Bedrock. Set up console profiles, likely to complete necessary LLM agreement/TOS steps required before model invocation.
- **Model Access Attempt:** Attempted to establish access using API calls such as `PutUseCaseForModelAccess` and `CreateFoundationModelAgreement`.
- **Execution Method:** Used a Python script to interact with AWS APIs.
## Targeting
- **Sectors:** Not explicitly detailed, but focused on organizations utilizing Amazon Bedrock (cloud-native LLM services).
- **Geography:** Unknown, based on the use of ProtonVPN IPs obscuring the true origin.
- **Victims:** Multiple AWS environments running LLM models, though specific organizations were not named.
## Tools & Infrastructure
- **Malware Families:** None explicitly named.
- **Tools/Services:** Utilized **ProtonVPN** IP addresses for originating API calls and a **Python script** for execution.
- **Infrastructure:** ProtonVPN IP addresses.
## Implications
JINX-2401 highlights a growing trend of attackers targeting cloud-native AI infrastructure (LLMs) rather than just traditional compute/data stores. The actor demonstrated sophistication in understanding AWS IAM controls necessary to interact with new services (like Bedrock agreement workflows). Their success in achieving high-level permissions indicates a significant internal compromise before being stopped at the final usage stage by preventative SCPs.
## Mitigations
- Review and enforce strong **Service Control Policies (SCPs)**, particularly to restrict access to high-value services like AWS Bedrock until strictly necessary and authorized.
- **Proactive Credential hygiene:** Immediately rotate any compromised IAM user keys/credentials.
- Monitor for suspicious IAM activity indicative of privilege escalation, specifically the creation of new users with permissive policies targeting AI services (`PutUseCaseForModelAccess`, etc.).
- Monitor for API calls originating from known commercial VPN/proxy services attempting to establish cloud control plane access.