- Researchers discovered OpenWebUI 98 instances that lacked any authentication
- 45 had already been compromised, and 33 showed signs of compromise
- The infected servers were silently running cryptominers and infostealing malware
A malicious campaign targeting the popular OpenWebUI AI interface has been hijacking AI servers to mine cryptocurrency and steal credentials.
This is according to Cybernews researchers who discovered 98 OpenWebUI instances that lacked any authentication protections.
Additionally, over 2,000 servers were left open to user registrations, allowing anyone to create an account and gain access.
Unprotected AI servers distributing malware
OpenWebUI is a popular open-source interface used by many businesses and individuals to interact with large language models (LLMs) and locally hosted models via a web dashboard.
Of the 98 servers that were found to be without authentication, 45 had already been compromised. A further 33 were experiencing configuration conflicts and system errors, while just 11 were functioning normally without any indicators of compromise.
The infected servers were found to be distributing and running malware used for mining cryptocurrency and stealing sensitive credentials. The malware managed to hide itself from detection by repeatedly reversing byte sequences, decoding Base64 data, and decompressing using Zlib until it was able to deliver the payload.
Additionally, the malware included Discord webhooks that would ping the malware developer every time it compromised a new server.
According to the Cybernews researchers, many of the Python scripts found in compromised servers appeared to show evidence of being AI generated, with inconsistent coding styles and varying complexity levels.
In order to protect OpenWebUI instances from compromise, the researchers recommend taking the following steps:
- Ensure that authentication features are enabled and that new signups require administrator approvals.
- Ensure proper instance isolation by utilizing IP whitelisting and set up a proxy that requires additional authentication for the OpenWebUI API until the issue is addressed by OpenWebUI.
- Set up monitoring pipelines to detect unauthorized “Tools” uploads and unauthorized models running on your instance.
