Full Report
Threat actors are attempting to monetize their illicit access to LLMs while the cloud account owner bears the costs. The attackers target a variety of LLM services across AWS, Azure, and GCP. In some instances, they employ a script to automate checking the validity of the stol...
Analysis Summary
# Incident Report: LLMjacking via Laravel Exploitation
## Executive Summary
Threat actors are exploiting vulnerabilities, specifically in publicly exposed Laravel instances, to gain initial access and steal cloud credentials. These stolen credentials are then used to hijack usage of large language models (LLMs) hosted across AWS, Azure, and GCP, resulting in unauthorized resource consumption billed to the victim organizations. The actors use automated scripts to validate credentials and target services like Anthropic's Claude models.
## Incident Details
- **Discovery Date:** Not explicitly stated, but analysis was published around May 6, 2024.
- **Incident Date:** Occurred prior to the publication date.
- **Affected Organization:** Various organizations utilizing LLM services on AWS, Azure, and GCP, including at least one where Laravel exploitation was confirmed.
- **Sector:** Unspecified (Broad targeting across cloud users).
- **Geography:** Global (Targeting major public cloud providers).
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown.
- **Vector:** Exploitation of a vulnerable and publicly exposed instance of Laravel (specifically referencing CVE-2021-3129).
- **Details:** Successful exploitation allowed for the exfiltration of valid cloud credentials belonging to the account owner.
### Lateral Movement
- **Date/Time:** Following initial access.
- **Vector:** Use of stolen cloud credentials.
- **Details:** Attackers used stolen credentials to enumerate permissions across AWS, Azure, and GCP environments, focusing on LLM service access.
### Data Exfiltration/Impact
- **Date/Time:** Following successful access validation.
- **Vector:** Unauthorized LLM usage via API calls.
- **Details:** Attackers leveraged the compromised credentials to access and utilize target LLM services, specifically attempting to access Anthropic's Claude models (v2/v3). They used the `InvokeModel` API to confirm service activation.
### Detection & Response
- **Date/Time:** Unknown. Detection likely occurred through monitoring unusual API usage or unexpectedly high cloud billing related to AI services.
- **Response actions taken:** No specific response actions by the victim organization are detailed, but observation of the technique implies post-incident investigation and analysis occurred.
## Attack Methodology
- **Initial Access:** Exploiting a 1-day vulnerability in Laravel (CVE-2021-3129).
- **Persistence:** Not explicitly detailed, but direct use of stolen long-lived cloud credentials likely negated the need for traditional persistence mechanisms initially.
- **Privilege Escalation:** Enumerating cloud API permissions associated with stolen credentials.
- **Defense Evasion:** Employing a script to automate checking credential validity and permissions *without* running actual queries (likely to stay under monitoring/rate limits). Used OAI Reverse Proxy to hide underlying credentials.
- **Credential Access:** Stolen from the compromised Laravel environment.
- **Discovery:** Cloud API enumeration to identify accessible LLM resources.
- **Lateral Movement:** Moving between cloud environments (AWS, Azure, GCP) using the stolen cloud IAM role/user credentials.
- **Collection:** Identifying target LLM services (e.g., Anthropic Claude).
- **Exfiltration:** Not traditional data exfiltration, but resource monetization via unauthorized usage.
- **Impact:** Unauthorized resource consumption (LLM inference/training).
## Impact Assessment
- **Financial:** The cloud account owner bears the costs of the unauthorized LLM usage (monetization for the threat actor).
- **Data Breach:** Potential exposure of cloud configuration details through API enumeration, but the primary impact is financial resource hijacking, not direct data theft of sensitive PII/PHI.
- **Operational:** Disruption caused by unexpected billing spikes and the need to investigate resource misuse.
- **Reputational:** Potential reputational damage related to poor cloud security posture if the initial Laravel vulnerability was known and unpatched.
## Indicators of Compromise
- **Network indicators (defanged):** Use of an open-source reverse proxy (OAI Reverse Proxy) for managing traffic flow to LLM APIs.
- **File indicators:** None specified.
- **Behavioral indicators:** Automated scripts checking for valid credentials and running `InvokeModel` or similar LLM API calls from unusual geographic/identity sources.
## Response Actions
- **Containment measures:** Revocation or disabling of keys/credentials linked to the compromised cloud accounts.
- **Eradication steps:** Patching the exploited Laravel/CVE-2021-3129 vulnerability.
- **Recovery actions:** Auditing cloud bills for unauthorized LLM charges and reconciling costs.
## Lessons Learned
- Extensively exposed/vulnerable applications (like older, unpatched framework versions) serve as prime entry points for initial cloud compromise.
- Stolen cloud credentials pose a direct financial threat via monetization opportunities like LLM resource hijacking.
- Attackers are actively using automation to validate credentials against cloud APIs to find vulnerable services rapidly.
## Recommendations
- Immediately patch all known vulnerabilities, especially 1-day or historical vulnerabilities like CVE-2021-3129 in internet-facing applications like Laravel.
- Implement strong Multi-Factor Authentication (MFA) on all cloud control plane accounts.
- Enforce Principle of Least Privilege (PoLP) for all cloud identities, specifically restricting permissions to high-cost services like LLM APIs unless strictly necessary.
- Deploy monitoring and anomaly detection specifically tuned to flag unusual API usage patterns associated with generative AI services (e.g., invocation volume spikes, usage from unrecognized entities).
- Securely manage and rotate cloud credentials obtained from application environments.