- Cisco Talos found hundreds of Ollama servers that can be abused for all sorts of cybercrime
- Potential threats include model extraction attacks, jailbreaking and content abuse, or backdoor injection and model poisoning (deploying malware)
- Businesses are neglecting fundamental security practices, Cisco warned
More than 1,100 Ollama servers were found exposed on the public internet, opening the doors to all sorts of cybercrime, experts have claimed.
After a quick Shodan search, security researchers Cisco Talos found the servers, which are either local or remote systems that run large language models without relying on external cloud providers. They allow users to download, manage, and run AI models directly on their own hardware or in private infrastructure. This setup is often used by developers and businesses that want more control, privacy, and lower latency when working with generative AI.
When these servers are exposed to the wider internet, they enable model extraction attacks (attackers reconstructing model parameters), jailbreaking and content abuse (forcing LLMs to generate restricted or harmful content), or backdoor injection and model poisoning (deploying malware), among other things.
Dormant and active servers
Out of the 1,100 servers that were discovered, the majority (around 80%) were “dormant” – meaning they weren’t running any models and thus could not be abused in cybercrime.
The remaining 20%, however, are “actively hosting models susceptible to unauthorized access”, as Cisco Talos put it. The researchers warned how “their exposed interfaces could still be leveraged in attacks involving resource exhaustion, denial of service, or lateral movement.”
Most of the exposed servers are found in the United States (36.6%), followed by China (22.5%), and Germany (8.9%).
For Cisco Talos, the findings “highlight a widespread neglect of fundamental security practices such as access control, authentication, and network isolation in the deployment of AI systems.”
In many ways, this is not unlike misconfigured or exposed databases, which malicious actors can easily access, stealing data to use in phishing or social engineering attacks.
Via The Register