AI Gateways Emerge as New Attack Surface for Enterprise Network Compromise
Key Takeaways AI gateways, critical components connecting generative AI applications to cloud services like Amazon Bedrock, are emerging as a prime target for attackers. A compromised LiteLLM-Proxy...
Key Takeaways
- AI gateways, critical components connecting generative AI applications to cloud services like Amazon Bedrock, are emerging as a prime target for attackers.
- A compromised LiteLLM-Proxy EC2 instance, functioning as an AI gateway, was observed downloading XMRig cryptomining malware and engaging in suspicious IAM activity.
- The initial compromise likely occurred via an internet-exposed SSH port, highlighting the ongoing risk of basic security misconfigurations in cloud environments.
- Attackers aim to exploit these gateways not only for resource hijacking (cryptomining) but also for potential access to cloud identities, sensitive data, and broader enterprise network compromise.
Organizations are increasingly integrating generative artificial intelligence into their operations, often leveraging cloud services such as Amazon Bedrock. This integration relies on AI gateways, which are rapidly becoming a new, attractive attack surface for threat actors aiming to infiltrate enterprise networks.
Table Of Content
These gateways serve as crucial intermediaries, managing interactions between users, business applications, and large language models. Their central role in routing requests, handling authentication, logging activity, enforcing policy controls, and managing access to foundation models makes them a high-value target.
Cybersecurity firm Darktrace recently uncovered a significant incident involving a compromised Amazon Web Services (AWS) EC2 instance, identified as “LiteLLM-Proxy.” This instance appeared to function as an AI gateway, connected to Amazon Bedrock via an AWS Identity and Access Management (IAM) role. Following the suspected breach, the server was observed downloading XMRig cryptomining malware and subsequently establishing repeated connections to known mining infrastructure.
The compromise of an AI gateway can extend far beyond a single server due to the extensive cloud permissions and service credentials often held by these components. This elevated access means attackers could potentially gain control over cloud identities, sensitive prompts, AI model services, application workflows, and a wide array of connected resources.
Hackers Target AI Gateways
The Darktrace investigation began on June 12, 2026, when the company’s security platform detected active cryptomining activities originating from the LiteLLM-Proxy EC2 instance. A key vulnerability identified was that the host had its SSH port exposed directly to the internet, allowing inbound connections from any IP address.
Darktrace telemetry recorded a high volume of brief SSH connection attempts targeting the instance. Among these attempts was traffic originating from the IP address 145.241.123[.]102. While investigators could not definitively confirm a successful SSH login, the combination of an internet-exposed service and the observed brute-force-like activity strongly suggests SSH as the likely initial access vector.
This incident underscores a persistent threat: internet-facing cloud services remain a frequent target for malicious actors. These attackers consistently seek to exploit vulnerabilities such as weak passwords, exposed credentials, unpatched software, or misconfigured security settings to gain unauthorized access.
Key Attack Stages
The Darktrace analysis revealed a clear sequence of events in the attack lifecycle:
- Internet-Exposed SSH Access: The LiteLLM Proxy AI gateway was found to have its SSH service (port 22) exposed to the public internet, facilitating potential brute-force attacks.
- XMRig Payload Download: The compromised EC2 instance proceeded to download the XMRig cryptomining malware.
- Mining Pool Communication: The infected host established connections to a cryptomining pool over HTTPS.
- Active Cryptomining: Attackers successfully hijacked cloud resources to mine cryptocurrency, a technique mapped to MITRE ATT&CK T1496.
- Suspicious IAM Activity: Unusual AWS Command-Line Interface (CLI) activity was observed, indicating potential credential misuse or attempts to establish persistence.
Prior to the commencement of the cryptomining operations, the affected instance downloaded approximately 10 MB of data via HTTP from the IP address 185.62.1[.]8. This endpoint appeared to host a ZIP archive containing XMRig, an open-source cryptocurrency miner frequently exploited by attackers.
Shortly after the payload download, the server initiated repeated HTTPS connections to pool.hasvault[.]pro, a domain known to be associated with cryptomining infrastructure. While using HTTPS over port 443 might typically blend in with legitimate traffic, Darktrace’s behavioral monitoring capabilities flagged the specific destination, the repetitive connection pattern, and the overall unusual activity as clear indicators of resource hijacking.
Darktrace escalated the incident upon detecting active cryptocurrency mining on the cloud workload. Further investigation the following day uncovered suspicious IAM activity, adding another layer of concern to the compromise.
An IAM user was observed accessing AWS services through the AWS CLI from an IP address located in Vietnam, an anomaly for that particular account. The user attempted various actions, including GetSendQuota, ListFoundationModels, InvokeModel, and CreateUser. The failed Amazon Bedrock commands, specifically ListFoundationModels and InvokeModel, could suggest that the attackers were attempting to discover available models or gain unauthorized access to them.
The attempt to CreateUser was particularly alarming, as it is a common tactic for attackers to establish new cloud accounts to maintain access even if stolen credentials are revoked or changed. While Darktrace could not definitively link this IAM activity directly to the compromised AI gateway, the incident starkly demonstrates the necessity of protecting AI infrastructure with the same rigor applied to any other critical cloud workload.
The following Indicators of Compromise (IOCs) were identified:
| IOC Category | Value |
|---|---|
| Affected Asset | LiteLLM Proxy EC2 Instance |
| Initial Access IP | 145.241.123[.]102 |
| Exposed Service | SSH (Port 22) |
| Payload Hosting IP | 185.62.1[.]8 |
| Malware | XMRig |
| Mining Pool Domain | pool.hasvault[.]pro |
| Suspicious IAM Source IP | 14.176.1[.]47 |
| Suspicious AWS Activity | GetSendQuota, ListFoundationModels, InvokeModel, CreateUser |
| MITRE ATT&CK Techniques | T1133, T1078, T1059, T1136, T1526, T1496 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
As AI gateways consolidate access to vital models and cloud services, they represent increasingly high-impact targets for cybercriminals. Defenders must adopt a comprehensive approach, correlating identity, workload, network, and cloud control-plane activity to detect compromises swiftly, preventing attackers from escalating beyond initial cryptomining into broader enterprise operations.
What You Should Do
- Restrict SSH Access: Ensure SSH access to cloud instances is strictly limited and not exposed to the public internet. Utilize bastion hosts or VPNs for secure remote access.
- Implement Least-Privilege IAM Policies: Apply the principle of least privilege to all IAM roles and users, granting only the necessary permissions for their function.
- Avoid Long-Term Access Keys: Use temporary credentials and rotate access keys frequently to minimize the window of opportunity for attackers.
- Monitor AI Gateway Logs: Regularly review logs from AI gateways for unusual authentication attempts, unauthorized access to models, or suspicious configuration changes.
- Track Unusual Outbound Network Traffic: Implement robust network monitoring to detect unexpected outbound connections, especially to known malicious IPs or cryptomining pools.
- Integrate Behavioral Monitoring: Employ AI-driven behavioral analytics to identify anomalies in cloud workload activity that might indicate compromise, even if individual actions appear benign.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.