Google has addressed a series of security vulnerabilities in its Vertex AI platform after researchers from Palo Alto Networks' Unit 42 demonstrated how attackers could weaponize AI agents to steal data and execute unauthorized code. The findings, disclosed to Google on December 1, 2023, were publicly detailed on May 22, 2024, after Google implemented fixes.
The research introduces a novel attack vector termed "AI Agent Weaponization," which focuses on exploiting the underlying cloud infrastructure of AI platforms rather than manipulating the AI models directly. According to the Unit 42 report, the flaws could have allowed an attacker to achieve data theft, unauthorized code execution, and resource abuse within a victim's Google Cloud environment.
The researchers identified several distinct pathways for exploitation across the Vertex AI suite. In one scenario, weak isolation between users in the Vertex AI Workbench could allow a low-privileged user to escape their environment and gain access to the underlying virtual machine, enabling credential theft and lateral movement. Another vector involved embedding malicious code into a custom training script. This script could then break out of its intended container to access the cloud project’s metadata server and exfiltrate sensitive data or abuse compute resources for activities like cryptomining.
A third issue involved a misconfiguration in the Vertex AI Model Garden that could have permitted unauthorized access to internal Google models, posing a risk of intellectual property theft.
In a statement, Google confirmed it had addressed the vulnerabilities and found no evidence that they were exploited against customers. The company noted that such security issues are an industry-wide challenge as AI platforms become more complex. The research serves as a critical reminder that securing the infrastructure hosting AI systems is as important as securing the models themselves.
