Our latest study Orcas in the Server Room uncovered the shocking reality of about 175,000 publicly exposed Ollama AI servers located in 130 different countries. Ollama is an open-source framework that enables seamless downloading, running, and managing of large language models (LLMs) by anyone on any operating system, including Windows, macOS, and Linux. It has exposed cracks that adversaries can exploit in dangerous ways.
The fiercely independent, decentralized nature of the Ollama ecosystem leads to thorny governance challenges. As more and more servers operate beyond the scope of enterprise security perimeters, they have become vulnerable to a plethora of cyber adversaries. It is always alarming to see important infrastructure so dangerously exposed. It would result in the ability to create prompt injections and direct harmful traffic through the networks of unwitting victims.
Governance Gaps and Security Implications
What we’ve seen so far, over 48% of the previously discovered Ollama hosts offer tool-calling functionality through their API endpoints. These endpoints return metadata describing what operations you can make when you query them. This accessibility fundamentally alters the threat landscape.
“Tool-calling capabilities fundamentally alter the threat model. A text-generation endpoint can produce harmful content, but a tool-enabled endpoint can execute privileged operations,” – researchers
Nearly half of these hosts have acquired tool-calling abilities. This unique and potent feature is what enables them to run code, call APIs, and communicate with other external systems. Researchers Gabriel Bernadett-Shapiro and Silas Cutler noted that this trend illustrates the increasing integration of LLMs into larger system processes.
The researchers pinpoint a secondary but equally significant threat lurking in the ecosystem. This risk stems from inadequate authentication and broad network exposure. The ease at which these systems can be accessed increases the risk for exploitation by bad actors.
“When combined with insufficient authentication and network exposure, this creates what we assess to be the highest-severity risk in the ecosystem.” – researchers
The Threat of LLMjacking
The public-facing nature of Ollama servers makes them subject to LLMjacking, a particular kind of attack on LLMs. Malicious users benefit from a victim’s LLM infrastructure assets to the victim’s detriment. In the process, the victims are left to pay the price for this exploitation, often unknowingly.
Of the hosts exposed, 201 of them are running uncensored prompt templates. These templates remove any safety guardrails releasing them into the wild to be abused. This troubling trend highlights how obvious it is to deploy LLM technologies securely and safely.
His creator, known as Sakuya and formerly as LiveGamer101, has been associated with ongoing operation aimed at targeting these unprotected servers. The attack actor has taken to actively scanning the internet for any unprotected Ollama instances, vLLM servers, and OpenAI-compatible APIs without authentication.
The operation validates accessible endpoints by assessing their response quality and subsequently commercializes access at discounted rates through advertisements on silver[.]inc, described as a Unified LLM API Gateway.
Geographic Distribution of Exposed Infrastructure
Our research found that most of the exposed Ollama infrastructure is located in China. In reality, it accounts for a little over 1/3 of all cases. In addition, the United States, Germany, France, South Korea, India, Russia, Singapore, Brazil and the United Kingdom all have over 1,000 exposed servers. These countries are at the precipice of serious cybersecurity threats.
The residential character of much of this infrastructure often makes traditional lines of governance difficult. As our community has noted, different approaches are needed to tell apart the clouds we manage from the distributed edge infrastructure.
“The residential nature of much of the infrastructure complicates traditional governance and requires new approaches that distinguish between managed cloud deployments and distributed edge infrastructure,” – researchers