- Cisco Talos has found hundreds of Ollama servers which can be mistreated for all kinds of cybercriminals
- Potential threats include model extraction attacks, jailbreaking and content abuse, or stolen door injection and model poisoning (deployment of malware)
- Companies neglect basic security practices, warned Cisco
More than 1,100 Olllama servers were found on public internet, opening the doors to all kinds of cybercriminals, experts said.
After a quick search in Shodan, Cisco Talos security researchers found the servers, which are local or remote systems that run large models of language without counting on external cloud suppliers. They allow users to download, manage and run AI models directly on their own equipment or in a private infrastructure. This configuration is often used by developers and companies wishing more control, confidentiality and lower latency when working with a generative AI.
When these servers are exposed to the wider internet, they allow model extraction attacks (attackers reconstructing the model parameters), jailbreaking and content abuse (forcing LLM to generate limited or harmful content), or the steep door injection and the model of the model (deployment of malicious software), among others.
Dormant and active servers
Of the 1,100 servers discovered, the majority (about 80%) were “dormant” – which means that they did not work models and therefore could not be abused in cybercrime.
The remaining 20%, however, “actively host models sensitive to unauthorized access”, as Cisco Talos said. The researchers warned how “their exposed interfaces could still be exploited in the attacks involving the exhaustion of resources, the denial of service or the lateral movement”.
Most servers exposed are found in the United States (36.6%), followed by China (22.5%) and Germany (8.9%).
For Cisco Talos, the results “highlight a general neglect of basic security practices such as access control, authentication and isolation of networks in the deployment of AI systems”.
In many ways, this is no different from the erroneous or exposed databases, to which malicious actors can easily access, by stealing data to be used in phishing or social engineering attacks.
Via The register
