Understanding Threats to Large Language Models (LLMs)
In the evolving landscape of cybersecurity, large language models (LLMs) have emerged as a significant target for malicious actors. This article outlines the ongoing reconnaissance campaigns aimed at exposed AI models, emphasizing the need for robust security measures.
Widespread Reconnaissance Campaign
Recent findings have highlighted a concerted effort by threat actors to probe various LLMs, including popular models like OpenAI’s GPT-4 and Google’s Gemini. Researchers from GreyNoise reported over 80,000 enumeration requests originating from two distinct IP addresses. This extensive scanning aims to identify misconfigured proxy servers that might inadvertently expose commercial APIs to unauthorized access.
Notification of Potential Targets
The research team underscored the seriousness of the situation, stating, “If you’re running exposed LLM endpoints, you’re likely already on someone’s list.” This kind of infrastructure mapping usually signifies a prelude to targeted cyberattacks.
Key Targeted Models
The reconnaissance efforts have encompassed a wide array of LLM families, including but not limited to:
- OpenAI: GPT-4 and its variants
- Anthropic: Claude Sonnet, Opus, Haiku
- Meta: Llama 3.x
- DeepSeek: DeepSeek-R1
- Google: Gemini
- Mistral
- Alibaba: Qwen
- xAI: Grok
The campaign, which started on December 28, systematically explored over 73 LLM model endpoints within an 11-day timeframe, employing innocuous test queries to minimize triggering security alerts.
Concerns About Attack Vector Specialization
The reconnaissance was conducted by two IPs known to have histories of exploiting vulnerabilities. These IPs were linked to various past exploits, including:
- CVE-2025-55182: React2Shell vulnerability
- CVE-2023-1389: TP-Link Archer vulnerability
Such a history showcases the professional caliber of the threat actors involved and hints at a broader exploitation strategy underpinning their current activities.
Second Campaign Focusing on SSRF Vulnerabilities
In addition to the reconnaissance on LLMs, a parallel campaign targeting server-side request forgery (SSRF) vulnerabilities has been observed. This technique can force servers to make outbound requests to infrastructures controlled by attackers, potentially leading to data breaches.
Exploitation Techniques
Attackers injected malicious URLs into the model pull functionalities of the honeypot infrastructure, thus redirecting server requests. They also targeted webhook integrations, manipulating parameters to trigger unauthorized outbound connections. The attackers utilized tools like ProjectDiscovery’s Out-of-band Application Security Testing (OAST) to validate successful exploitations.
Recommendations for Securing LLMs
Given the escalating threats to LLMs, organizations are advised to implement robust security measures:
-
Limit Model Pulls: Ensure that model pulls from the framework only accept inputs from trusted registries to reduce exposure.
-
Implement Egress Filtering: This technique can help prevent SSRF callbacks from reaching attacker-controlled infrastructure.
-
Monitor for Enumeration Patterns: Establish alert systems for rapid-fire requests across multiple model endpoints, which may signify attempts to map vulnerabilities.
-
Block OAST at DNS: Cutting off callback channels that signal successful exploitation can help mitigate risk.
-
Rate Limit Suspicious ASNs: Key ASN identifiers that have been prominent in attack traffic should be monitored closely to preempt further activity.
Conclusion
Monitoring, securing, and adapting in response to the ever-changing cybersecurity landscape is essential for organizations using LLMs. With proactive measures to identify and mitigate threats, companies can safeguard their AI infrastructures against malicious exploits. The complexity of these attacks underscores a pressing need for vigilance and enhanced cybersecurity practices tailored to the unique challenges posed by LLMs.
