InfoSecBulletin Cybersecurity for mankind
A joint investigation by SentinelOne SentinelLABS and Censys found that open-source AI deployment has led to a large “unmanaged, publicly accessible AI compute infrastructure” with 175,000 unique Ollama hosts in 130 countries.
These systems operate outside the usual safety and monitoring measures set by platform providers. According to the company, over 30% of these vulnerabilities are in China. The countries with the most infrastructure include the U.S., Germany, France, South Korea, India, Russia, Singapore, Brazil, and the U.K.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
“Nearly half of observed hosts are configured with tool-calling capabilities that enable them to execute code, access APIs, and interact with external systems, demonstrating the increasing implementation of LLMs into larger system processes,” researchers Gabriel Bernadett-Shapiro and Silas Cutler added.
Ollama is an open-source tool for easily downloading, running, and managing large language models (LLMs) on Windows, macOS, and Linux.
The service defaults to the localhost address 127.0.0[.]1:11434, but you can easily make it public by changing the binding to 0.0.0[.]0 or a public interface.
Ollama and Moltbot (previously Clawdbot) are both hosted locally, creating new security issues since they operate beyond enterprise defenses. Researchers emphasize the need for new methods to differentiate managed and unmanaged AI computing.
Over 48% of the observed hosts offer tool-calling features through their API endpoints, which return metadata about their functionalities. Tool calling lets LLMs connect with external systems, APIs, and databases, enhancing their abilities and providing real-time data.
“Tool-calling capabilities fundamentally alter the threat model. A text-generation endpoint can produce harmful content, but a tool-enabled endpoint can execute privileged operations,” the researchers noted. “When combined with insufficient authentication and network exposure, this creates what we assess to be the highest-severity risk in the ecosystem.”
The analysis has also found hosts supporting various functions, like reasoning and vision, with 201 hosts running unrestricted prompt templates that lack safety measures.
These systems are vulnerable to LLMjacking, where attackers misuse a victim’s LLM resources, forcing them to pay for the damage. This can involve creating spam emails, spreading misinformation, mining cryptocurrency, or selling access to criminals.
A recent Pillar Security report reveals that threat actors are actively exploiting exposed LLM service endpoints in a campaign called Operation Bizarre Bazaar to monetize AI infrastructure.
The results indicate a criminal operation with three parts: searching the internet for unsecured Ollama instances, vLLM servers, and OpenAI-compatible APIs without authentication, testing the response quality, and selling access at lower prices through advertising on silver[.]inc as a Unified LLM API Gateway.
“This end-to-end operation – from reconnaissance to commercial resale – represents the first documented LLMjacking marketplace with complete attribution,” researchers Eilon Cohen and Ariel Fogel said. The operation has been traced to a threat actor named Hecker (aka Sakuya and LiveGamer101).
The decentralized Ollama ecosystem, found in both cloud and residential settings, leads to governance issues and allows for malicious traffic injection through victim networks.
“The residential nature of much of the infrastructure complicates traditional governance and requires new approaches that distinguish between managed cloud deployments and distributed edge infrastructure,” the companies said. “For defenders, the key takeaway is that LLMs are increasingly deployed to the edge to translate instructions into actions. As such, they must be treated with the same authentication, monitoring, and network controls as other externally accessible infrastructure.”
