LLMJacking in the Wild: How Threat Actors Exploit AI Using Compromised AWS NHIs

By /

Listen to this Post

Our latest research at Entro Security demonstrates the alarming speed at which threat actors capitalize on exposed NHIs to abuse LLMs like DeepSeek, Claude, and GPT.

Read the full research:

LLMjacking in the Wild: How Attackers Recon and Abuse GenAI with AWS NHIs

You Should Know:

1. Monitor AWS Keys:

Use the following AWS CLI command to list and monitor access keys: 

aws iam list-access-keys --user-name <username>

2. Check CloudTrail Logs:

Investigate suspicious activities using CloudTrail:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ConsoleLogin

3. Revoke Compromised Keys:

Immediately revoke compromised AWS keys:

aws iam update-access-key --access-key-id <key-id> --status Inactive --user-name <username>

4. Enforce MFA:

Ensure Multi-Factor Authentication (MFA) is enabled for all IAM users: 

aws iam enable-mfa-device --user-name <username> --serial-number <mfa-serial> --authentication-code1 <code1> --authentication-code2 <code2>

5. Scan for Exposed Keys:

Use tools like `truffleHog` to scan repositories for exposed keys: 

trufflehog --regex --entropy=False <repository-url>

6. Limit Permissions:

Apply the principle of least privilege using IAM policies: 

aws iam put-user-policy --user-name <username> --policy-name <policy-name> --policy-document file://policy.json

7. Detect Reconnaissance Activity:

Use AWS GuardDuty to detect reconnaissance attempts:

aws guardduty list-findings --detector-id <detector-id>

What Undercode Say:

The exploitation of exposed AWS NHIs for malicious AI activity is a pressing concern. Threat actors are quick to identify and abuse compromised keys, emphasizing the need for robust security measures. Regularly monitor and audit your AWS environment, enforce strict access controls, and leverage tools like CloudTrail and GuardDuty to detect and mitigate threats. Securing your cloud infrastructure is not optional—it’s a necessity in today’s threat landscape.

For further reading, visit:

LLMjacking in the Wild: How Attackers Recon and Abuse GenAI with AWS NHIs

References:

Reported By: Peleg4711 %F0%9D%90%8B%F0%9D%90%8B%F0%9D%90%8C%F0%9D%90%A3%F0%9D%90%9A%F0%9D%90%9C%F0%9D%90%A4%F0%9D%90%A2%F0%9D%90%A7%F0%9D%90%A0 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅Featured Image

Related Posts: