{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/model-exfiltration/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Ollama"],"_cs_severities":["high"],"_cs_tags":["ollama","model-exfiltration","data-leakage"],"_cs_type":"advisory","_cs_vendors":["Ollama"],"content_html":"\u003cp\u003eThis detection focuses on identifying potential data exfiltration attempts against Ollama, a framework for running large language models locally. The technique involves adversaries repeatedly querying specific API endpoints such as \u003ccode\u003e/api/show\u003c/code\u003e, \u003ccode\u003e/api/tags\u003c/code\u003e, and \u003ccode\u003e/api/v1/models\u003c/code\u003e. These queries are designed to extract sensitive model information including architecture details, fine-tuning parameters, system paths, Modelfile configurations, and any proprietary customizations. The detection logic flags instances where multiple inspection attempts occur within a short 15-minute window, suggesting automated exfiltration activity. Successful exfiltration could lead to competitive intelligence gathering, model replication, or preparation for further attacks against the AI infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system capable of making requests to the Ollama server.\u003c/li\u003e\n\u003cli\u003eThe attacker begins sending HTTP GET requests to the \u003ccode\u003e/api/tags\u003c/code\u003e endpoint to enumerate available models.\u003c/li\u003e\n\u003cli\u003eFor each model identified, the attacker sends HTTP GET requests to the \u003ccode\u003e/api/show\u003c/code\u003e endpoint to retrieve detailed model metadata.\u003c/li\u003e\n\u003cli\u003eThe attacker may also query \u003ccode\u003e/api/v1/models\u003c/code\u003e to gather additional model-related information.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the JSON responses to extract sensitive information such as model architecture, system prompts, and custom configurations.\u003c/li\u003e\n\u003cli\u003eThe extracted data is aggregated and prepared for exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates exfiltration, potentially using techniques like DNS tunneling, HTTP POST requests to external servers, or cloud storage uploads.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the exfiltrated information to replicate the model, gain competitive insights, or identify vulnerabilities in the AI infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exfiltration of Ollama model metadata can have significant consequences. Competitors could replicate proprietary models, undermining the victim's competitive advantage. Attackers could use the exfiltrated data to identify vulnerabilities in the AI infrastructure, paving the way for more sophisticated attacks. The unauthorized disclosure of sensitive model configurations, system prompts, and internal model specifications can lead to substantial financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eOllama Model Metadata Exfiltration via API\u003c/code\u003e to your SIEM to detect suspicious API access patterns (logsource: \u003ccode\u003ewebserver\u003c/code\u003e, product: \u003ccode\u003elinux\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor Ollama server logs for unusually high request rates to \u003ccode\u003e/api/show\u003c/code\u003e, \u003ccode\u003e/api/tags\u003c/code\u003e, and \u003ccode\u003e/api/v1/models\u003c/code\u003e (logsource: \u003ccode\u003ewebserver\u003c/code\u003e, product: \u003ccode\u003elinux\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the Ollama API endpoints to prevent automated exfiltration attempts (firewall/WAF configuration).\u003c/li\u003e\n\u003cli\u003eReview and harden access controls to the Ollama server to prevent unauthorized access (Ollama configuration).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-02T14:22:00Z","date_published":"2024-05-02T14:22:00Z","id":"https://feed.craftedsignal.io/briefs/2024-05-ollama-model-exfiltration/","summary":"This brief describes detection of potential data exfiltration attempts targeting Ollama model metadata and configuration endpoints by adversaries repeatedly querying specific API endpoints to extract sensitive model information.","title":"Ollama Model Exfiltration Attempt Detection","url":"https://feed.craftedsignal.io/briefs/2024-05-ollama-model-exfiltration/"}],"language":"en","title":"CraftedSignal Threat Feed - Model-Exfiltration","version":"https://jsonfeed.org/version/1.1"}