CYBER SECURITY

LLMjacking: How attackers use stolen AWS credentials to enable LLMs and rack up costs for victims

Photo of testv testv Send an email 26 mins ago
0 0 1 minute read


The most common API actions called by attackers via compromised credentials earlier this year included InvokeModel, InvokeModelStream, Converse, and ConverseStream. However, attackers were also recently observed using PutFoundationModelEntitlement and PutUseCaseForModelAccess, which are used to enable models, along with ListFoundationModels and GetFoundationModelAvailability, in advance in order to detect which models an account has access to.

This means that organizations that have deployed Bedrock but not activated certain models are not safe. The difference in cost between different models can be substantial. For example, for a Claude 2.x model usage the researchers calculated a potential cost of over $46,000 per day but for models such as Claude 3 Opus the cost could be two to three times higher.

The researchers have seen attackers using Claude 3 to generate and improve the code of a script designed to query the model in the first place. The script is designed to continuously interact with the model, generating responses, monitoring for specific content, and saving the results in text files.

Photo of testv testv Send an email 26 mins ago
0 0 1 minute read
Photo of testv

testv

Related Articles

Iranian APT UNC1860 Linked to MOIS Facilitates Cyber Intrusions in Middle East

6 hours ago

The Godfather club, and AirTags to the rescue • Graham Cluley

12 hours ago

German police dismantles illegal crypto exchanges

17 hours ago

Europol Shuts Down Major Phishing Scheme Targeting Mobile Phone Credentials

23 hours ago

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button