{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/ollama/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Ollama"],"_cs_severities":["high"],"_cs_tags":["ollama","model-exfiltration","data-leakage"],"_cs_type":"advisory","_cs_vendors":["Ollama"],"content_html":"\u003cp\u003eThis detection focuses on identifying potential data exfiltration attempts against Ollama, a framework for running large language models locally. The technique involves adversaries repeatedly querying specific API endpoints such as \u003ccode\u003e/api/show\u003c/code\u003e, \u003ccode\u003e/api/tags\u003c/code\u003e, and \u003ccode\u003e/api/v1/models\u003c/code\u003e. These queries are designed to extract sensitive model information including architecture details, fine-tuning parameters, system paths, Modelfile configurations, and any proprietary customizations. The detection logic flags instances where multiple inspection attempts occur within a short 15-minute window, suggesting automated exfiltration activity. Successful exfiltration could lead to competitive intelligence gathering, model replication, or preparation for further attacks against the AI infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system capable of making requests to the Ollama server.\u003c/li\u003e\n\u003cli\u003eThe attacker begins sending HTTP GET requests to the \u003ccode\u003e/api/tags\u003c/code\u003e endpoint to enumerate available models.\u003c/li\u003e\n\u003cli\u003eFor each model identified, the attacker sends HTTP GET requests to the \u003ccode\u003e/api/show\u003c/code\u003e endpoint to retrieve detailed model metadata.\u003c/li\u003e\n\u003cli\u003eThe attacker may also query \u003ccode\u003e/api/v1/models\u003c/code\u003e to gather additional model-related information.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the JSON responses to extract sensitive information such as model architecture, system prompts, and custom configurations.\u003c/li\u003e\n\u003cli\u003eThe extracted data is aggregated and prepared for exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates exfiltration, potentially using techniques like DNS tunneling, HTTP POST requests to external servers, or cloud storage uploads.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the exfiltrated information to replicate the model, gain competitive insights, or identify vulnerabilities in the AI infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exfiltration of Ollama model metadata can have significant consequences. Competitors could replicate proprietary models, undermining the victim's competitive advantage. Attackers could use the exfiltrated data to identify vulnerabilities in the AI infrastructure, paving the way for more sophisticated attacks. The unauthorized disclosure of sensitive model configurations, system prompts, and internal model specifications can lead to substantial financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eOllama Model Metadata Exfiltration via API\u003c/code\u003e to your SIEM to detect suspicious API access patterns (logsource: \u003ccode\u003ewebserver\u003c/code\u003e, product: \u003ccode\u003elinux\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor Ollama server logs for unusually high request rates to \u003ccode\u003e/api/show\u003c/code\u003e, \u003ccode\u003e/api/tags\u003c/code\u003e, and \u003ccode\u003e/api/v1/models\u003c/code\u003e (logsource: \u003ccode\u003ewebserver\u003c/code\u003e, product: \u003ccode\u003elinux\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the Ollama API endpoints to prevent automated exfiltration attempts (firewall/WAF configuration).\u003c/li\u003e\n\u003cli\u003eReview and harden access controls to the Ollama server to prevent unauthorized access (Ollama configuration).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-02T14:22:00Z","date_published":"2024-05-02T14:22:00Z","id":"https://feed.craftedsignal.io/briefs/2024-05-ollama-model-exfiltration/","summary":"This brief describes detection of potential data exfiltration attempts targeting Ollama model metadata and configuration endpoints by adversaries repeatedly querying specific API endpoints to extract sensitive model information.","title":"Ollama Model Exfiltration Attempt Detection","url":"https://feed.craftedsignal.io/briefs/2024-05-ollama-model-exfiltration/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Ollama"],"_cs_severities":["medium"],"_cs_tags":["ollama","network-connectivity","anomaly"],"_cs_type":"advisory","_cs_vendors":["Ollama"],"content_html":"\u003cp\u003eThis threat brief addresses abnormal network activity and connectivity issues detected within Ollama servers. The detection focuses on warning-level network errors, such as DNS lookup failures, TCP connection issues, and host resolution problems, which may indicate unauthorized access attempts, infrastructure reconnaissance, or network-based attacks targeting Ollama deployments. This is particularly important as organizations increasingly rely on local LLMs and need to ensure the integrity and security of these systems. The detection specifically identifies attempts to access the Ollama API from non-localhost addresses, raising concerns about potential unauthorized access or exploitation attempts. It is critical to investigate these anomalies promptly to prevent further compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker attempts to access the Ollama API from a non-localhost address, potentially bypassing authentication or authorization mechanisms.\u003c/li\u003e\n\u003cli\u003eThe Ollama server logs a warning-level error related to network connectivity, such as \u0026quot;dial tcp,\u0026quot; \u0026quot;lookup,\u0026quot; or \u0026quot;no such host.\u0026quot;\u003c/li\u003e\n\u003cli\u003eThe attacker's attempts to resolve a hostname used by the Ollama server fails, indicating a DNS lookup issue.\u003c/li\u003e\n\u003cli\u003eA TCP connection to a critical service or component used by Ollama is refused or times out.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish a connection to an unreachable network resource, potentially indicating reconnaissance activity.\u003c/li\u003e\n\u003cli\u003eThe Ollama server logs multiple network-related warnings over a short period, suggesting a sustained attack or exploitation attempt.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a vulnerability within the Ollama API or a related service to gain unauthorized access to sensitive data or functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully compromises the Ollama server, potentially leading to data exfiltration, service disruption, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of abnormal network connectivity in Ollama can lead to unauthorized access to the LLM, potentially exposing sensitive data used in prompts or model configurations. It can also disrupt the availability of the Ollama service, impacting applications relying on it. The number of victims would depend on the scope of the Ollama deployment. Sectors heavily reliant on local LLMs, such as software development and data analysis, are particularly at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect abnormal network connectivity patterns in Ollama server logs (\u003ccode\u003eprocess_creation\u003c/code\u003e and \u003ccode\u003enetwork_connection\u003c/code\u003e log sources).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on identifying the source of the abnormal network activity and the potential impact on the Ollama server.\u003c/li\u003e\n\u003cli\u003eReview and harden the network configuration of the Ollama server to restrict access to authorized users and applications only.\u003c/li\u003e\n\u003cli\u003eMonitor Ollama server logs for warning-level network errors, such as DNS lookup failures, TCP connection issues, and host resolution problems, as indicated in the \u003ccode\u003esearch\u003c/code\u003e query.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to isolate the Ollama server from other critical systems, limiting the potential impact of a successful compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-ollama-abnormal-network/","summary":"This detection identifies unusual network patterns and connection problems within Ollama, encompassing unauthorized API access attempts beyond localhost and warning-level network errors like DNS lookup failures, TCP connection issues, or host resolution problems, which can signal network-based attacks, unauthorized access, or infrastructure reconnaissance.","title":"Ollama Abnormal Network Connectivity Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-09-ollama-abnormal-network/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Ollama","LM Studio","Textgen"],"_cs_severities":["medium"],"_cs_tags":["genai","exfiltration","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Ollama","LM Studio"],"content_html":"\u003cp\u003eThis detection identifies a suspicious sequence of actions involving GenAI processes. Specifically, it flags instances where a GenAI process (or a child process) performs encoding or chunking operations (such as base64 encoding, gzip compression, or archiving with tar/zip) and is immediately followed by outbound network connections. This behavior suggests that an attacker is preparing data for exfiltration, potentially through manipulated GenAI prompts or agents. The attacker encodes or compresses data to obfuscate its contents and evade traditional detection mechanisms. While legitimate GenAI workflows rarely involve encoding data prior to network communication, attackers may leverage this technique to exfiltrate sensitive information from compromised environments. The rule specifically looks for processes like \u003ccode\u003eollama.exe\u003c/code\u003e, \u003ccode\u003etextgen.exe\u003c/code\u003e, \u003ccode\u003elmstudio.exe\u003c/code\u003e, and others, as well as common encoding utilities like \u003ccode\u003ebase64\u003c/code\u003e, \u003ccode\u003egzip\u003c/code\u003e, and \u003ccode\u003ezip\u003c/code\u003e. The detection logic incorporates command-line analysis to identify encoding activities within PowerShell, Python, and Node.js environments. This activity started being tracked in late 2025 and is relevant for defenders because it shows a specific technique to exfiltrate data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises a system with a GenAI application installed (e.g., LM Studio, Ollama).\u003c/li\u003e\n\u003cli\u003eThe attacker uses or manipulates the GenAI application to access sensitive data. This could involve using custom prompts or agents to extract data from local files or databases.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates an encoding process using native tools like \u003ccode\u003ebase64\u003c/code\u003e, \u003ccode\u003egzip\u003c/code\u003e, \u003ccode\u003etar\u003c/code\u003e, or \u003ccode\u003ezip\u003c/code\u003e, or scripting languages like PowerShell, Python, or Node.js. This step is intended to obfuscate the data. The command line will contain flags specific to encoding or compression.\u003c/li\u003e\n\u003cli\u003eThe encoding process creates a new file or data stream containing the encoded data.\u003c/li\u003e\n\u003cli\u003eA network connection is established from the system to an external IP address, bypassing local or loopback addresses.\u003c/li\u003e\n\u003cli\u003eThe encoded data is transmitted over the network connection. This could be done via HTTP, FTP, or other protocols.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the exfiltrated data on their remote server.\u003c/li\u003e\n\u003cli\u003eThe attacker may then delete the encoded file from the compromised system to further evade detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack chain can lead to the exfiltration of sensitive data, including intellectual property, customer data, credentials, or other confidential information. This data breach can result in significant financial losses, reputational damage, legal liabilities, and regulatory penalties. The rule targets GenAI applications, which are becoming increasingly prevalent in various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect GenAI processes performing encoding/chunking prior to network activity, and tune it for your specific GenAI environment.\u003c/li\u003e\n\u003cli\u003eInspect process command-line arguments for unexpected use of encoding/chunking utilities (e.g., \u003ccode\u003ebase64\u003c/code\u003e, \u003ccode\u003egzip\u003c/code\u003e, \u003ccode\u003etar\u003c/code\u003e, \u003ccode\u003ezip\u003c/code\u003e) launched from GenAI applications.\u003c/li\u003e\n\u003cli\u003eMonitor outbound network connections from systems running GenAI applications, filtering for connections to unusual or untrusted destinations.\u003c/li\u003e\n\u003cli\u003eImplement network-level detection rules to identify data exfiltration attempts based on traffic patterns, such as large data transfers or connections to known malicious IPs.\u003c/li\u003e\n\u003cli\u003eRegularly review and update GenAI application configurations to ensure they are securely configured and protected against unauthorized access.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by this rule to determine the scope of the potential data exfiltration.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:22:38Z","date_published":"2024-01-03T18:22:38Z","id":"https://feed.craftedsignal.io/briefs/2024-01-genai-encoding-exfiltration/","summary":"This rule detects GenAI processes performing encoding or chunking (base64, gzip, tar, zip) followed by outbound network activity, indicating data preparation for exfiltration.","title":"GenAI Process Performing Encoding/Chunking Prior to Network Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-genai-encoding-exfiltration/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Claude","Copilot","Cursor","Ollama"],"_cs_severities":["medium"],"_cs_tags":["genai","configuration-modification","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Anthropic","Cursor","GitHub","Ollama"],"content_html":"\u003cp\u003eThis detection identifies suspicious modifications to configuration files associated with Generative AI (GenAI) tools such as Cursor, Claude, Copilot, and Ollama. Attackers may attempt to inject malicious Model Context Protocol (MCP) server configurations into these files. This allows them to hijack AI agents for various malicious purposes, including persistence, establishing command and control (C2) channels, or exfiltrating sensitive data. The attack vectors can include direct modification via malware or compromised scripts, supply chain attacks through tainted dependencies, and prompt injection attacks where the GenAI tool is manipulated into altering its own settings. Successful modification allows unauthorized MCP servers to execute arbitrary commands upon subsequent invocations of the affected AI tool. The timeframe for detection looks back 9 months.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e An attacker gains initial access via malware, compromised scripts, or supply chain vulnerabilities targeting GenAI development environments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConfiguration Discovery:\u003c/strong\u003e The attacker identifies the location of GenAI tool configuration files, such as \u003ccode\u003e.cursor/mcp.json\u003c/code\u003e, \u003ccode\u003e.claude/\u003c/code\u003e, or \u003ccode\u003e.config/github-copilot/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Modification:\u003c/strong\u003e The attacker modifies the configuration file, injecting a malicious MCP server URL or unauthorized plugin configurations. This could be achieved through direct file modification using scripting tools, or via prompt injection techniques.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence via MCP:\u003c/strong\u003e The attacker leverages the injected malicious MCP server for persistence. The GenAI tool will load the attacker's server on next invocation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The injected MCP server establishes a command and control (C2) channel, allowing the attacker to remotely control the compromised AI agent.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration or Code Execution:\u003c/strong\u003e Once the MCP server is running, the attacker executes arbitrary commands or exfiltrates sensitive data via the compromised AI agent. This data can include API keys, proprietary code, or customer data accessible by the GenAI tool.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses the compromised GenAI tool as a pivot point to move laterally within the network, accessing other sensitive systems or data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the compromise of sensitive data handled by the GenAI tool, including API keys, source code, and user data. The attacker could also use the compromised AI agent for persistence, allowing them to maintain a foothold within the targeted environment. Successful exploitation could lead to significant data breaches, intellectual property theft, and reputational damage. The rule's description mentions the Cybereason blog on weaponized AI and MCPs, noting it being used for account takeover.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect unusual processes modifying GenAI configuration files based on the file paths specified in the \u003ccode\u003efile.path\u003c/code\u003e field of the rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the modifying process's origin, parent process tree, and network connections.\u003c/li\u003e\n\u003cli\u003eMonitor file integrity using tools like Sysmon or auditd on the GenAI configuration file paths to detect unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eImplement network-level blocking for any unauthorized MCP server URLs discovered in compromised configuration files.\u003c/li\u003e\n\u003cli\u003eRotate any potentially exposed API keys or credentials that may have been compromised through the GenAI configuration files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-genai-config-modify/","summary":"This rule detects unusual modifications to GenAI tool configuration files, potentially indicating an attacker injecting malicious MCP server configurations to hijack AI agents for persistence, command and control, or data exfiltration.","title":"Unusual Modification of GenAI Tool Configuration File","url":"https://feed.craftedsignal.io/briefs/2024-01-genai-config-modify/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Ollama Server"],"_cs_severities":["critical"],"_cs_tags":["ollama","rce","model-injection"],"_cs_type":"advisory","_cs_vendors":["Ollama"],"content_html":"\u003cp\u003eThis brief addresses a critical vulnerability in Ollama servers that could lead to remote code execution (RCE). The threat involves attackers attempting to load malicious models onto the server to execute arbitrary code. This is achieved by exploiting vulnerabilities in the model loading process or by injecting specially crafted models designed to trigger server errors and allow code execution. The detection focuses on identifying unusual error patterns during model loading, such as crashes, failures related to \u0026quot;llama runner,\u0026quot; and model-specific errors. This activity may originate from an external threat actor or a malicious insider attempting to compromise the Ollama server. Successful exploitation allows the attacker to gain full control of the server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an Ollama server with accessible model loading functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious model or exploits an existing model.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a model loading request to the Ollama server.\u003c/li\u003e\n\u003cli\u003eThe Ollama server attempts to load the model.\u003c/li\u003e\n\u003cli\u003eThe malicious model triggers an error within the llama runner component or the model processing logic.\u003c/li\u003e\n\u003cli\u003eThe error leads to a service crash or code execution due to vulnerabilities in the model loader.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution on the Ollama server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to complete compromise of the Ollama server. The attacker gains the ability to execute arbitrary code, potentially leading to data exfiltration, denial of service, or further lateral movement within the network. The risk is heightened due to the potential for sensitive data stored or processed by the Ollama server to be exposed or manipulated. The number of victims and specific sectors targeted are unknown, but the impact is potentially widespread given the increasing adoption of Ollama servers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eOllama Possible RCE via Model Loading\u003c/code\u003e Sigma rule to your SIEM to detect suspicious model loading errors on Ollama servers.\u003c/li\u003e\n\u003cli\u003eReview and harden the Ollama server configuration to restrict model loading permissions and validate model integrity.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised Ollama server.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of model loading errors and potential RCE attempts based on the Sigma rule output.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-ollama-rce/","summary":"The detection identifies potential remote code execution attempts on Ollama servers through malicious model loading by monitoring error messages and failure patterns during model loading operations, which could indicate malicious model injection, path traversal attempts, or exploitation of model loading mechanisms, leading to arbitrary code execution on the server.","title":"Ollama Server Possible RCE via Malicious Model Loading","url":"https://feed.craftedsignal.io/briefs/2024-01-03-ollama-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Ollama"],"_cs_severities":["high"],"_cs_tags":["ollama","resource-exhaustion","denial-of-service"],"_cs_type":"advisory","_cs_vendors":["Ollama"],"content_html":"\u003cp\u003eThis threat brief addresses potential resource exhaustion attacks targeting Ollama servers. Adversaries might attempt to degrade system performance or cause denial of service by overloading the server with excessive memory allocation requests and runner operations. This can be achieved by loading multiple large language models, repeatedly triggering model initialization, or exploiting memory allocation mechanisms. The attack aims to overwhelm CPU/GPU resources and exhaust available memory. Defenders should monitor Ollama server logs for unusual patterns in memory allocation, runner counts, and the frequency of operations. The Splunk search provided by the source content is designed to detect such anomalies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to a system capable of interacting with the Ollama server. This could be a compromised host within the network or an external system with network access.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a series of requests to the Ollama server to load large language models. The attacker may automate these requests to rapidly increase the number of models being loaded.\u003c/li\u003e\n\u003cli\u003eThe Ollama server attempts to allocate memory for each requested model. This process consumes system memory, including RAM and potentially swap space.\u003c/li\u003e\n\u003cli\u003eThe attacker sends requests to repeatedly initialize or re-initialize models, forcing the Ollama server to perform redundant memory allocation operations.\u003c/li\u003e\n\u003cli\u003eThe Ollama server's runner count increases as it attempts to manage the numerous model instances. This puts additional strain on CPU resources.\u003c/li\u003e\n\u003cli\u003eMemory usage on the Ollama server spikes, potentially exceeding available resources.\u003c/li\u003e\n\u003cli\u003eThe server's performance degrades, leading to slow response times or complete unresponsiveness. Legitimate users may experience denial of service.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains the attack until the Ollama server becomes unusable or system administrators intervene.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful resource exhaustion attack on an Ollama server can lead to significant disruption. Victims may experience denial of service, preventing legitimate users from accessing the server's capabilities. Degraded performance can impact the usability of applications relying on the Ollama server. The attack can exhaust system resources, potentially affecting other services running on the same host. The severity depends on the size and configuration of the Ollama server and the scale of the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eOllama High Memory Allocation\u003c/code\u003e to detect abnormal memory usage by Ollama processes (logsource: \u003ccode\u003eprocess_creation\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eOllama Excessive Runner Processes\u003c/code\u003e to detect a large number of Ollama runner processes being created (logsource: \u003ccode\u003eprocess_creation\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor the \u003ccode\u003eollama_server\u003c/code\u003e logs for spikes in memory allocation and runner counts as described in the Splunk search (data_source: \u003ccode\u003eOllama Server\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eTune the thresholds in the Splunk search provided to suit your environment, focusing on \u003ccode\u003eoperations\u003c/code\u003e, \u003ccode\u003etotal_runners\u003c/code\u003e, \u003ccode\u003emax_memory\u003c/code\u003e, and \u003ccode\u003etotal_memory\u003c/code\u003e (search).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting and request validation on the Ollama API to prevent excessive model loading requests (references: \u003ccode\u003ehttps://github.com/rosplk/ta-ollama\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-ollama-resource-exhaustion/","summary":"This brief covers a technique to detect resource exhaustion attacks against Ollama servers by monitoring abnormal memory allocation and runner operations, potentially leading to denial of service or performance degradation.","title":"Ollama Resource Exhaustion via Memory Abuse","url":"https://feed.craftedsignal.io/briefs/2024-01-03-ollama-resource-exhaustion/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Ollama"],"_cs_severities":["high"],"_cs_tags":["ollama","prompt-injection","jailbreak","ai-security"],"_cs_type":"advisory","_cs_vendors":["Ollama"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting prompt injection and jailbreak attempts targeting Ollama, an open-source framework for running large language models (LLMs) locally. Attackers are increasingly targeting LLMs with crafted prompts designed to bypass safety controls, extract sensitive information, or manipulate model behavior. This is achieved by injecting malicious instructions into user queries, leading to unintended or harmful outputs. The detection identifies suspicious activity against Ollama API endpoints (/api/generate and /v1/chat/completions) by monitoring response times. Requests exceeding 30 seconds, coupled with high request frequency, may indicate a sophisticated jailbreak attempt, multi-stage prompt injection, or extraction of sensitive data from the model. Defenders should be aware of this emerging threat to maintain the integrity and security of their LLM deployments. The provided Sigma rules and recommendations enable proactive monitoring and alerting for these types of attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an Ollama instance exposed via API endpoints such as \u003ccode\u003e/api/generate\u003c/code\u003e or \u003ccode\u003e/v1/chat/completions\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious prompt designed to bypass safety filters or extract sensitive information (prompt injection).\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted prompt to the Ollama API endpoint via an HTTP POST request.\u003c/li\u003e\n\u003cli\u003eThe Ollama server processes the complex prompt, leading to extended processing times.\u003c/li\u003e\n\u003cli\u003eThe server logs the request details, including the URI path, source IP, HTTP method, response code, and response time.\u003c/li\u003e\n\u003cli\u003eA successful jailbreak or prompt injection may allow the attacker to extract internal data, manipulate model behavior, or bypass security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats the process, refining the prompt based on previous responses.\u003c/li\u003e\n\u003cli\u003eThe attacker potentially leverages the compromised Ollama instance for further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful prompt injection attacks against Ollama instances can lead to several critical impacts. Attackers may be able to extract sensitive data, manipulate the model to generate harmful or biased content, or bypass security controls designed to prevent misuse. While the specific number of victims is unknown, the increasing adoption of LLMs makes this a significant concern for organizations across various sectors. If successful, these attacks can compromise data confidentiality, integrity, and availability, leading to reputational damage and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eOllama Suspicious Long Request\u003c/code\u003e to detect abnormally long response times indicative of prompt injection attempts. Enable Ollama server logging to capture the required data (response times, URI paths, source IPs) and configure Splunk TA-ollama to ingest the logs (sourcetype: \u003ccode\u003eollama:server\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate alerts triggered by the \u003ccode\u003eOllama Suspicious Long Request\u003c/code\u003e rule, focusing on the source IP address (\u003ccode\u003esrc\u003c/code\u003e) and the requested URI (\u003ccode\u003euri_path\u003c/code\u003e) to understand the nature of the interaction with the Ollama API.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting and input validation on Ollama API endpoints to mitigate the risk of prompt injection attacks.\u003c/li\u003e\n\u003cli\u003eRegularly review and update Ollama's safety filters and security configurations to address emerging prompt injection techniques.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003estatus_code\u003c/code\u003e values in the logs for unusual HTTP response codes that might indicate errors or vulnerabilities being exploited during prompt processing.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-ollama-prompt-injection/","summary":"Detects potential prompt injection and jailbreak attempts against Ollama API endpoints by identifying requests with abnormally long response times, indicative of attackers crafting complex prompts to bypass AI safety controls.","title":"Ollama API Prompt Injection and Jailbreak Attempts","url":"https://feed.craftedsignal.io/briefs/2024-01-03-ollama-prompt-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Ollama"],"_cs_severities":["medium"],"_cs_tags":["ollama","api-reconnaissance","web-application"],"_cs_type":"advisory","_cs_vendors":["Ollama"],"content_html":"\u003cp\u003eThis detection focuses on identifying reconnaissance attempts against Ollama servers. The core objective is to pinpoint sources that aggressively probe multiple API endpoints within short time windows. This behavior often signifies a systematic effort to enumerate the API surface, uncover hidden endpoints, or pinpoint potential vulnerabilities before launching targeted attacks. The detection leverages Ollama server logs to track API access patterns. It is crucial for defenders to identify and mitigate such reconnaissance attempts proactively to prevent potential exploitation of Ollama servers. This detection is based on data from the Splunk ES-CU detections, specifically \u003ccode\u003edetections/application/ollama_possible_api_endpoint_scan_reconnaissance.yml\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains network access to an Ollama server.\u003c/li\u003e\n\u003cli\u003eAttacker initiates a series of HTTP requests targeting various API endpoints on the Ollama server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a variety of HTTP methods (e.g., HEAD, GET) to probe the endpoints.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the HTTP response codes to map the API surface and identify active endpoints.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies potential vulnerabilities based on endpoint behavior and response patterns.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to exploit identified vulnerabilities.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains unauthorized access to Ollama server resources.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or disrupts Ollama services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful API reconnaissance can lead to the discovery of vulnerabilities in Ollama servers, enabling attackers to gain unauthorized access, exfiltrate sensitive data, or disrupt services. While the number of potential victims isn't explicitly stated, organizations using Ollama servers are at risk. The detection focuses on identifying the reconnaissance phase, allowing defenders to interrupt the attack chain before significant damage occurs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect potential Ollama API reconnaissance activity based on excessive requests (\u003ccode\u003etotal_requests \u0026gt; 120\u003c/code\u003e) within a 5-minute window.\u003c/li\u003e\n\u003cli\u003eIngest Ollama logs via Splunk TA-ollama add-on by configuring file monitoring inputs pointed to your Ollama server log directories to enable effective detection.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the source IP address (\u003ccode\u003esrc\u003c/code\u003e) and the accessed endpoints (\u003ccode\u003edest\u003c/code\u003e) to determine the legitimacy of the activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-ollama-api-recon/","summary":"Detects potential reconnaissance activity against Ollama servers by identifying sources probing multiple API endpoints within short timeframes, indicative of attackers mapping the API surface for vulnerabilities.","title":"Ollama API Endpoint Scan Reconnaissance","url":"https://feed.craftedsignal.io/briefs/2024-01-03-ollama-api-recon/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Ollama"],"_cs_severities":["high"],"_cs_tags":["ollama","availability","denial-of-service","crash"],"_cs_type":"advisory","_cs_vendors":["Ollama"],"content_html":"\u003cp\u003eThis detection focuses on identifying abnormal service crashes within Ollama, a tool used for running large language models. The goal is to detect potential exploitation attempts, resource exhaustion attacks, or denial-of-service attacks targeting the Ollama service. The detection analyzes Ollama server logs for error and fatal messages, as well as keywords indicating service termination. An unusually high frequency of crashes or terminations within a short timeframe can indicate malicious activity. The detection logic originates from Splunk ES and is designed to identify anomalies indicative of an attack against Ollama's availability and stability. Defenders should monitor for these patterns to ensure the continuous operation of their AI model deployments and identify potential security breaches. The logic was published on 2026-04-17.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerability in Ollama that can cause a service crash (e.g., through malicious input or resource exhaustion).\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted request or input to the Ollama server, exploiting the identified vulnerability.\u003c/li\u003e\n\u003cli\u003eThe Ollama service encounters a fatal error or exception while processing the malicious input.\u003c/li\u003e\n\u003cli\u003eThe Ollama service terminates unexpectedly, generating an ERROR or FATAL log message.\u003c/li\u003e\n\u003cli\u003eThe monitoring system detects the abnormal service termination based on the log data.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats the process to further disrupt the availability of the Ollama service.\u003c/li\u003e\n\u003cli\u003eLegitimate users are unable to access the Ollama service, leading to a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to a denial-of-service condition, rendering the Ollama service unavailable to legitimate users. This can disrupt AI model deployments, impact dependent applications, and degrade overall system stability. The detection logic assigns severity based on the frequency of crashes, with high termination counts classified as critical and indicative of resource exhaustion attacks. If successful, the attacker can effectively shut down the AI model serving capabilities of Ollama.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIngest Ollama server logs and configure the appropriate sourcetype (ollama:server) in your SIEM to enable detection based on log data.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM and tune them for your specific environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules to determine the root cause of the service crashes and potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and harden the Ollama server configuration based on the error messages (e.g., resource limits, input validation) to mitigate potential vulnerabilities.\u003c/li\u003e\n\u003cli\u003eMonitor the \u003ccode\u003etermination_count\u003c/code\u003e, \u003ccode\u003eerror_messages\u003c/code\u003e, and \u003ccode\u003eexit_codes\u003c/code\u003e fields in the detection output for patterns indicative of specific attack types.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-ollama-service-crash/","summary":"This detection identifies abnormal service crashes, fatal errors, and process terminations in Ollama, potentially indicating exploitation, resource exhaustion, or denial-of-service attacks aimed at disrupting AI model availability and degrading system stability.","title":"Ollama Abnormal Service Crash Availability Attack","url":"https://feed.craftedsignal.io/briefs/2024-01-03-ollama-service-crash/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Ollama"],"_cs_severities":["high"],"_cs_tags":["ollama","ddos","rate-limiting","anomaly-detection"],"_cs_type":"advisory","_cs_vendors":["Ollama"],"content_html":"\u003cp\u003eThis brief focuses on detecting potential Distributed Denial of Service (DDoS) attacks or rate limit abuse against Ollama API endpoints. The attack involves flooding the Ollama server with excessive API requests from individual client IP addresses within a short time frame. These attacks aim to exhaust server resources, leading to service degradation or complete unavailability. This behavior is typically associated with automated attacks, botnet activity, or resource exhaustion attempts targeting local AI model infrastructure and can severely impact the availability of Ollama services. Detection relies on analyzing GIN-formatted Ollama server logs to identify clients generating abnormally high request rates. The specific detection logic thresholds need to be tuned based on the environment baselines.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies publicly exposed Ollama API endpoint.\u003c/li\u003e\n\u003cli\u003eAttacker crafts automated scripts or utilizes botnet to send a high volume of API requests.\u003c/li\u003e\n\u003cli\u003eAttacker initiates the attack, flooding the Ollama server with requests from multiple source IPs or a single IP.\u003c/li\u003e\n\u003cli\u003eOllama server logs record each API request, including source IP, timestamp, and endpoint.\u003c/li\u003e\n\u003cli\u003eThe detection logic analyzes the logs, grouping requests by source IP address within a 5-minute window.\u003c/li\u003e\n\u003cli\u003eThe detection identifies source IPs exceeding a predefined request threshold (e.g., 120 requests per 5 minutes).\u003c/li\u003e\n\u003cli\u003eAlert is triggered, indicating a potential DDoS attack or rate limit abuse from the identified source IP.\u003c/li\u003e\n\u003cli\u003eService degradation or unavailability occurs due to resource exhaustion.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful DDoS or rate limit abuse attack against an Ollama server can lead to significant service disruption. This can result in legitimate users being unable to access AI models, impacting critical workflows reliant on Ollama. The specific impact depends on the scale of the attack and the server's resource capacity. In severe cases, the server may become completely unresponsive, leading to a total outage. The attack can also negatively impact the reputation of the organization hosting the Ollama service.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eOllama Excessive API Requests\u003c/code\u003e to your SIEM and tune the threshold (\u003ccode\u003erequest_count \u0026gt; 120\u003c/code\u003e) based on your environment's baseline traffic to reduce false positives.\u003c/li\u003e\n\u003cli\u003eIngest Ollama logs into your SIEM using the recommended method (Splunk TA-ollama add-on, HTTP Event Collector) to populate the \u003ccode\u003eollama_server\u003c/code\u003e macro referenced in the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule \u003ccode\u003eOllama Excessive API Requests\u003c/code\u003e to identify potentially compromised systems or malicious actors.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting and request filtering at the network level to mitigate DDoS attacks and prevent abuse, and block malicious IP addresses identified from the SIEM alerts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-ollama-ddos/","summary":"This detection identifies potential DDoS attacks or rate limit abuse against Ollama API endpoints by detecting excessive request volumes from individual client IP addresses.","title":"Ollama API DDoS/Rate Limit Abuse Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-02-ollama-ddos/"}],"language":"en","title":"CraftedSignal Threat Feed - Ollama","version":"https://jsonfeed.org/version/1.1"}