Full Report
Discover the latest in LLM hijacking activity, including a dive into the JINX-2401 campaign targeting AWS environments with IAM privilege escalation tactics.
Analysis Summary
# Threat Actor: JINX-2401
## Attribution & Identity
* **Identification:** Threat actor tracked by Wiz Research as JINX-2401.
* **Known Aliases/Groups:** None explicitly mentioned in this context, although the activity (LLM abuse for monetization) is noted as becoming more prevalent based on prior public reporting.
## Activity Summary
JINX-2401 was observed attempting to hijack Amazon Bedrock LLM models across multiple AWS environments for the purpose of unauthorized access and monetization. Initial access was gained via compromised IAM user access keys (AKIA). The actor demonstrated persistence and privilege escalation attempts by creating new IAM users, policies, and associated access keys. The overall goal was to successfully invoke generative AI models, specifically Anthropic Claude models, within the compromised cloud subscriptions. Despite elevated permissions in one instance, attempts to invoke models were ultimately blocked by existing Service Control Policies (SCPs) enforcing restrictions on model access agreements (`CreateFoundationModelAgreement`) and invocation (`InvokeModel`).
## Tactics, Techniques & Procedures
- **Initial Access:** Compromised IAM user access keys (AKIA).
- **Persistence/Escalation:**
- Creation of new IAM users and access keys using a specific, consistent naming scheme.
- Creation of custom IAM policies granting Bedrock permissions.
- Attempting console logins to complete the LLM agreement process, evidenced by the `PutUseCaseForModelAccess` API call.
- **Execution/Action on Objectives:** Attempted to invoke Bedrock models (`InvokeModel` API call) after establishing new credentials.
- **Use of Evasion/Anonymity:** Activity was observed originating from Proton VPN IP addresses.
- **Specific Naming Conventions:**
- IAM Username Regex: `^[A-Z][a-z]{5}[0-9]{3}$`.
- IAM Policy Name: `New_Policy`.
- Custom Policy permissions included Bedrock access rights.
- **User Agents Observed:**
- `Python/3.12 aiohttp/3.9.1`
- `Python/3.11 aiohttp/3.9.5`
- Detailed Boto3/OS user agent string including Python 3.12.0.
- **MITRE ATT&CK IDs:** Not explicitly provided, but the activity aligns closely with techniques related to Cloud Account Takeover and Privilege Escalation within AWS.
## Targeting
- **Sectors:** General cloud environments utilizing AWS Bedrock services.
- **Geography:** Activity detected across multiple identified AWS environments; actor frequently leveraged Proton VPN IPs.
- **Victims:** Multiple, unspecified AWS customer environments where LLM services were deployed or accessible.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly named, but the access suggests reliance on customized or standard Python scripting leveraging Boto3 for AWS interaction.
- **Infrastructure (C2, domains, IPs - defang URLs):**
- **Source IPs (Proton VPN nodes):**
- 89.187.170.165, 89.187.170.166, 89.187.170.167, 89.187.170.168, 89.187.170.169, 89.187.170.170, 89.187.170.171, 89.187.170.172, 89.187.170.173, 89.187.170.174, 89.187.170.175, 89.187.170.182, 89.187.170.183, 89.187.170.184, 89.187.170.185, 89.187.170.176, 89.187.170.177, 89.187.170.178, 89.187.170.179, 89.187.170.180, 89.187.170.181, 146.70.230.149
- **Invoked Models:** anthropic.claude-3-sonnet-20240229-v1:0, anthropic.claude-v2, anthropic.claude-3-5-sonnet-20241022-v2:0, anthropic.claude-3-5-sonnet-20240620-v1:0
## Implications
JINX-2401 represents a growing trend of threat actors directly targeting generative AI services hosted in the cloud (LLM jacking) as a new avenue for cloud resource abuse and cost generation. Even when actors gain highly privileged access (Administrator Access), their ability to fully compromise the intended LLM resource can be curtailed by preventative guardrails like SCPs. The actor exhibits notable persistence and standardization in creating credentials, suggesting automated or highly methodical operation targeting specific cloud features.
## Mitigations
1. **Implement Service Control Policies (SCPs):** Restrict and limit access to Bedrock models. If Bedrock is not used, deny access entirely. If used, allow Bedrock access only for specific, necessary IAM principals.
2. **AI Model Inventory:** Inventory all deployed AI models in the environment to check for irregularities (Wiz AI-SPM recommended).
3. **Detection (IAM Activity):** Query CloudTrail logs for the creation of IAM users (`CreateUser`) or policies (`CreatePolicy`) matching the identified naming patterns (`^[A-Z][a-z]{5}[0-9]{3}$` for users, and `New_Policy` for policies).
4. **Detection (LLM Usage):** Monitor for:
- Unusual principals making repeated `InvokeModel` requests.
- `InvokeModel` requests returning specific error codes indicative of access checks concerning model agreements.
- Specific creation of IAM policies named "New\_Policy" that grant Bedrock permissions.