{"id":8700,"date":"2026-07-09T13:00:00","date_gmt":"2026-07-09T13:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8700"},"modified":"2026-07-09T13:00:00","modified_gmt":"2026-07-09T13:00:00","slug":"attack-on-amazon-bedrock-linked-ai-gateway-highlights-new-cloud-security-risk","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8700","title":{"rendered":"Attack on Amazon Bedrock-linked AI gateway highlights new cloud security risk"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>A cloud intrusion that ended with the deployment of cryptomining malware has exposed a bigger risk for enterprises: AI gateways that concentrate access to cloud identities, permissions, and foundation models in a single, highly privileged system.<\/p>\n<p>Researchers from cybersecurity firm Darktrace found attackers compromising an AWS EC2 instance acting as a LiteLLM proxy for <a href=\"https:\/\/www.infoworld.com\/article\/2335005\/amazon-bedrock-generative-ai-service-reaches-ga.html\">Amazon Bedrock<\/a>, eventually deploying XMRig cryptomining malware, along with attempts to abuse cloud identities and AI services.<\/p>\n<p>Although the attack ended in cryptomining, researchers said the bigger concern is that AI gateways centralize model access, identities, and cloud privileges, making them valuable targets.<\/p>\n<p>Experts found the attack familiar and consistent with past cloud attack techniques.<\/p>\n<p>\u201cStrip off the AI branding and this is a cloud intrusion pattern we\u2019ve been watching since at least 2018: SSH open to the internet, brute-force attempts, a commodity <a href=\"https:\/\/www.csoonline.com\/article\/2099039\/kinsing-crypto-mining-campaign-targets-75-cloud-native-applications.html\">XMRig<\/a> miner, and repeated connections to a mining pool,\u201d said <a href=\"https:\/\/www.linkedin.com\/in\/seantmalone\/\" target=\"_blank\" rel=\"noopener\">Sean Malone<\/a>, CISO at BeyondTrust. \u201cEven the AI-specific angle, stolen credentials probing Bedrock model access, has had a name since 2024: <a href=\"https:\/\/www.csoonline.com\/article\/3535433\/llmjacking-how-attackers-use-stolen-aws-credentials-to-enable-llms-and-rack-up-costs-for-victims.html\">LLMjacking<\/a>.\u201d<\/p>\n<p>However, Malone agreed with Darktrace researchers on the potential blast radius. \u201cAI gateways concentrate credentials, cloud permissions, and model access into a single choke point, so a routine intrusion lands on a privileged asset,\u201d he explained.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>The attack followed a known pattern<\/h2>\n<p>According to Darktrace, the compromised EC2 instance appeared to support <a href=\"https:\/\/www.csoonline.com\/article\/4149905\/pypi-warns-developers-after-litellm-malware-found-stealing-cloud-and-ci-cd-credentials.html\">LiteLLM<\/a> activity and was associated with an IAM role capable of accessing Amazon Bedrock resources. While researchers could not conclusively determine the initial access vector, they said the attack followed a sequence commonly seen in cloud intrusions.<\/p>\n<p>Before the miner was deployed, the instance had SSH exposed to the internet, with port 22 accessible from anywhere. Darktrace observed a high volume of inbound SSH connection attempts, largely originating from a single external IP address, indicating probable brute-force activity.<\/p>\n<p>Shortly afterward, the host downloaded a ZIP archive containing XMRig cryptomining malware before repeatedly connecting to a known mining pool over HTTPS.<\/p>\n<p>Darktrace stressed that it could not confirm whether the SSH activity directly led to the compromise because host-level logs were unavailable. However, the timing of the SSH exposure, miner download, and subsequent mining-pool communications strongly suggested the EC2 instance had been compromised and repurposed for unauthorized compute activity.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Compromised AI gateways are a big deal<\/h2>\n<p>The disclosure also detailed suspicious IAM activity observed separately, a day later, by another AWS identity. Among the unusual actions were a \u201cGetSendQuota\u201d API call from an IP address in Vietnam, attempts to enumerate and invoke Amazon Bedrock foundation models, and an effort to create a new IAM user using a randomly generated username.<\/p>\n<p>This behavior is commonly associated with establishing persistence following credential compromise. However, Darktrace could not link the IAM activity directly to the LiteLLM incident.<\/p>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/jason-soroko-19b41920\/\" target=\"_blank\" rel=\"noopener\">Jason Soroko<\/a>, senior fellow at Sectigo, said the incident\u2019s significance lies less in the cryptominer than in the system that was compromised.<\/p>\n<p>\u201cThese gateways are becoming brokers for identity, model access, prompts, logs, and policy,\u201d he noted. \u201cWhen one is exposed over SSH or backed by broad IAM permissions, it is no longer just another EC2 instance. It is a control point for AI operations.\u201d<\/p>\n<p>To protect against such attacks, Soroko added, security teams should close public admin paths, remove long-term keys where possible, scope IAM permissions, monitor Bedrock and model access patterns, and correlate workload telemetry with control-plane events. <\/p>\n<p>Darktrace said it helped in the timely containment of the attack. \u201cThe cryptomining activity was received by Darktrace\u2019s Managed Threat Detection service and reviewed by Darktrace\u2019s SOC,\u201d the researchers said in a blog post shared with CSO ahead of its <a href=\"https:\/\/www.darktrace.com\/blog\/when-ai-infrastructure-becomes-part-of-the-attack-surface\" target=\"_blank\" rel=\"noopener\">publication<\/a> on Thursday. \u201cFollowing review, the activity was escalated to the customer. This escalation provided the customer with timely notification of active resource abuse in the AWS environment.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>A cloud intrusion that ended with the deployment of cryptomining malware has exposed a bigger risk for enterprises: AI gateways that concentrate access to cloud identities, permissions, and foundation models in a single, highly privileged system. Researchers from cybersecurity firm Darktrace found attackers compromising an AWS EC2 instance acting as a LiteLLM proxy for Amazon [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8701,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8700","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8700"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8700"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8700\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8701"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8700"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8700"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8700"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}