Full Report
In September 2024, threat actors conducted a campaign exploiting exposed AWS access keys to hijack AWS Bedrock services for operating illicit AI-powered roleplay chatbots. The attackers leverage compromised long-lived credentials (AKIA keys) discovered primarily through GitHub...
Analysis Summary
# Incident Report: LLMJacking for Illicit AI Chatbots Using Exposed AWS Keys
## Executive Summary
In September 2024, threat actors executed a campaign exploiting publicly exposed AWS access keys (AKIA keys) predominantly found on GitHub. This allowed unauthorized access to AWS Bedrock services, which were then hijacked to operate illicit, policy-violating AI-powered roleplay chatbots. The incident resulted in approximately 75,000 unauthorized model invocations over 48 hours before AWS implemented preventative controls.
## Incident Details
- Discovery Date: Early August 2024 (Observation period for researchers)
- Incident Date: September 2024 (Campaign focus), with activity observed in early August.
- Affected Organization: AWS Customers whose exposed AKIA keys were utilized.
- Sector: Technology/Cloud Services (AWS) and subsequent usage by content platforms.
- Geography: Unspecified, involving global AWS infrastructure.
## Timeline of Events
### Initial Access
- Date/Time: Early August 2024 (Observation start)
- Vector: Compromised long-lived AWS access keys (AKIA keys).
- Details: Keys were discovered through GitHub repository scanning.
### Lateral Movement
- Details: Upon initial access, the attackers immediately targeted AWS Bedrock services. No complex lateral movement within the compromised AWS environments was detailed beyond resource hijacking.
### Data Exfiltration/Impact
- Details: Resource hijacking occurred, leading to approximately 75,000 successful invocations of foundation models (e.g., Anthropic Claude) used to generate policy-violating content, including sexual/violent material and instances of CSEM.
### Detection & Response
- Detection: Researchers observed the abnormal usage patterns.
- Response Actions: AWS updated the `AWSCompromisedKeyQuarantineV2` policy on October 2, 2024, to explicitly block Bedrock operations for compromised keys.
## Attack Methodology
- Initial Access: Credential theft via searching public GitHub repositories for exposed AWS AKIA keys.
- Persistence: Based on using long-lived access keys, persistence was achieved until keys were deactivated or policy changes blocked access.
- Privilege Escalation: Not explicitly detailed, but implied successful access to Bedrock API calls (InvokeModel).
- Defense Evasion: Used undocumented APIs (`GetFoundationModelAvailability`) and fabricated business justifications to bypass standard console access checks.
- Credential Access: Harvesting previously exposed environment secrets/keys.
- Discovery: Checking model availability via Bedrock APIs.
- Lateral Movement: N/A (Focus was on resource utilization within the existing permission boundaries).
- Collection: Not data collection in the traditional sense, but resource utilization/compute hijacking.
- Exfiltration: N/A (Compute cycles were used to generate content, which was presumably sent to the threat actor's endpoint, Chub[.]ai).
- Impact: Resource exhaustion/abuse, and generation of illegal/harmful content.
## Impact Assessment
- Financial: Costs associated with unauthorized cloud compute usage (unspecified).
- Data Breach: No direct customer data breach reported, but generation of CSEM related content.
- Operational: Disruption of Bedrock services due to massive unauthorized invocation load (75,000 calls over 48 hours).
- Reputational: Negative impact due to platform abuse generating policy-violating material.
## Indicators of Compromise
- Network Indicators: Invocations originating from 12 distinct ASNs.
- File Indicators: None specified.
- Behavioral Indicators: High volume of `InvokeModel` or `GetFoundationModelAvailability` API calls targeting Bedrock, potentially using non-standard justification fields.
## Response Actions
- Containment Measures: AWS policy update implemented on October 2, 2024.
- Eradication Steps: Deactivation of compromised keys (implied, standard practice).
- Recovery Actions: Mitigation via policy enforcement to prevent future Bedrock abuse via compromised keys.
## Lessons Learned
- The widespread exposure of long-lived credentials (AKIA keys) on public code repositories remains a critical initial access vector.
- Cloud providers and users must be aware of undocumented or less-monitored APIs that can be leveraged by attackers for resource abuse.
- Automated tooling is needed to detect large-scale abuse of specific IaaS services like foundation models.
## Recommendations
- **Key Management:** Implement mandatory rotation policies for all long-lived access keys. Utilize IAM roles with temporary credentials (STS) instead of static keys wherever possible.
- **Secrets Scanning:** Aggressively enforce secrets scanning both pre-commit and continuously in source code repositories (e.g., GitHub).
- **Boundary Monitoring:** Implement enhanced, utilization-based anomaly detection specifically tailored for serverless/AI services (like Bedrock) to flag unusual invocation volumes or patterns that might indicate resource hijacking.
- **Policy Hardening:** Review and tighten permissions related to foundation model access, ensuring that access requires stronger authentication or justification checks beyond standard API calls.