On November 26, 2024, Wiz Threat Research identified JINX-2401, a threat actor attempting to hijack LLM models in multiple AWS environments using compromised IAM credentials. The attackers leveraged compromised IAM user keys to gain access, perform privilege escalation, and establish persistence. Despite the attackers’ efforts, including using high-privilege accounts and bypassing security measures, their attempts to invoke AWS Bedrock models were thwarted due to robust Service Control Policies (SCPs). The attack was characterized by distinct naming patterns and repeated efforts to exploit IAM accounts, suggesting a targeted, systematic approach.
JINX-2401 used compromised IAM user access keys (AKIA) to gain initial access to cloud accounts. The attacker attempted to invoke Bedrock models using a Python script, originating from Proton VPN IP addresses. Their techniques included creating new IAM users with policies granting Bedrock permissions and setting up console profiles for completing the LLM agreement process. The attacker relied on API calls such as PutUseCaseForModelAccess and CreateFoundationModelAgreement to establish access but was blocked by SCPs. Despite gaining Administrator Access permissions in one environment, multiple attempts to invoke models failed. The campaign exhibited consistent behavioral patterns, including naming conventions for IAM users and policies, which facilitated cross-environment detection.