Hackers have devised a novel technique to exploit AI resources, leveraging publicly accessible AI model servers to fuel their malicious activities. This approach enables attackers to integrate hijacked servers into automated hacking systems, creating a self-sufficient attack mechanism capable of scanning, identifying vulnerabilities, and executing exploits independently.
Emergence of AI-Driven Cyber Attacks
The trend of utilizing stolen cloud credentials to access AI services, termed ‘LLMjacking,’ was first observed in 2024. By 2025, this method had evolved into a global black market dealing in stolen tokens. Financial losses from these activities were estimated to reach $46,000 daily. Recently, researchers at Sysdig uncovered a significant incident involving a misconfigured Ollama model server, used as the core of a sophisticated multi-stage attack tool.
This incident marked a shift from previous LLMjacking cases, as the attackers were not merely reselling access but had connected the server to a software pipeline that automated the hacking process. The scale of exposure is concerning, with approximately 175,000 Ollama instances available in over 130 countries, posing significant risks due to lack of default authentication.
Technical Breakdown of the Attack Framework
The captured attack showcased how threat actors are combining stolen AI infrastructure with autonomous hacking tools. The tool, referred to as VAPT, guides the AI model through a pre-defined sequence of tasks, ensuring a seamless and rapid attack process without human intervention. Key stages include service identification, vulnerability matching, exploit development, and credential extraction.
A notable feature of this framework is its autonomous orchestrator, which manages the attack sequence until it successfully executes commands on the target system. Upon successful compromise, the tool confirms the exploit using specific code markers, allowing it to be reused as a template for future attacks.
Preventative Measures and Indicators of Threat
During the investigation, researchers discovered the use of seven AI models, indicating the tool was initially designed for commercial APIs before being adapted to utilize compromised servers. Testing was conducted against fictional applications and private networks, suggesting the tool is still in the refinement stage.
To mitigate risks, security teams are advised to secure Ollama and similar AI model servers by implementing authentication measures and monitoring for unusual activity. Treating exposed AI inference endpoints with the same caution as databases or admin panels is crucial. Additionally, teams should be aware of indicators of compromise, such as specific IP addresses and code markers, to enhance their defensive strategies.
The ongoing development of AI-powered hacking tools underscores the need for robust cyber security practices. As these threats evolve, organizations must remain vigilant and proactive in protecting their digital assets.
