The Point: AI gateways as central access points to cloud identities and models are becoming preferred targets, as a successful attack immediately grants access to privileged systems.
Researchers from Darktrace documented an attack in which criminals compromised an AWS EC2 instance running LiteLLM-Proxy for Amazon Bedrock and installed XMRig cryptomining malware. The incident illustrates a more systemic problem: AI gateways concentrate identities, cloud permissions, and model access in a single highly privileged system.
The attack followed a known cloud intrusion pattern: the EC2 instance had SSH publicly exposed on port 22. Darktrace observed high volumes of incoming SSH connection attempts, mostly originating from a single external IP address, indicating brute-force activity. Subsequently, a ZIP archive containing XMRig malware was downloaded and repeated connections were established to a mining pool. The instance’s IAM role was configured to access Amazon Bedrock resources. Darktrace could not fully establish the initial compromise because host-level logs were unavailable; however, the timeline of SSH exposure, malware download, and mining connections strongly suggests a compromise.
One day later, Darktrace detected suspicious IAM activity from a different AWS identity: a “GetSendQuota” API call from an IP address in Vietnam, enumeration attempts of Amazon Bedrock models, and an attempt to create a new IAM user with a randomly generated name. These patterns are typical for establishing persistence after credential compromise. However, Darktrace could not establish a direct connection between these IAM activities and the LiteLLM incident.
Sean Malone, CISO at BeyondTrust, contextualizes the incident: “Without the AI branding, this is a cloud intrusion pattern we have observed since at least 2018: SSH open to the internet, brute-force attempts, XMRig miners, and repeated connections to mining pools. The AI-specific aspect—stolen credentials for Bedrock access—has had a name since 2024: LLMjacking.” However, Malone confirms the assessment of blast radius: “AI gateways concentrate credentials, cloud permissions, and model access at a single choke point, so a routine intrusion lands on a privileged asset.”
Jason Soroko, Senior Fellow at Sectigo, emphasizes the structural significance: “These gateways become intermediaries for identity, model access, prompts, logs, and policy. When they are exposed over SSH or configured with broad IAM permissions, they are no longer an arbitrary EC2 instance but a control point for AI operations.” Soroko recommends the following measures: close public admin paths, eliminate long-term keys, restrict IAM permissions, monitor Bedrock and model access patterns, and correlate workload telemetry with control-plane events.
Source: www.csoonline.com · Published July 9, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.