AI Gateway Compromise Highlights Persistent Cloud Threat Vectors in Enterprise AI Infrastructure
On June 12, 2026, cybersecurity firm Darktrace uncovered a cryptomining attack targeting an internet-exposed AI gateway, demonstrating how legacy cloud threats are evolving to exploit enterprise AI deployments. The compromised host a misconfigured AWS EC2 instance running LiteLLM-Proxy, an open-source tool for centralizing access to large language models (LLMs) was breached via SSH brute-force attacks, a tactic long used against exposed cloud instances.
The attack unfolded in three stages: initial reconnaissance via automated SSH scanning from the IP 145.241.123[.]102, followed by DNS requests to cryptomining domains, and finally persistent outbound connections to mining infrastructure. Darktrace’s behavioral AI detected the anomalies, preventing further escalation. While the payload was cryptomining a relatively low-impact outcome the incident underscores a far greater risk: AI gateways as high-value targets for lateral movement.
LiteLLM-Proxy, in this case, held privileged access to Amazon Bedrock, AWS’s managed LLM service, along with IAM permissions to invoke model inference APIs at scale. Such gateways aggregate critical access: credentials for foundation models, IAM roles, and visibility into application prompts and responses. An attacker controlling this layer could exfiltrate data, abuse model APIs, or manipulate workflows without needing to compromise downstream systems.
The incident reveals a security posture gap in AI infrastructure deployments. Organizations often treat AI gateways as application-tier components rather than privileged access infrastructure, leaving them vulnerable to the same misconfigurations that have plagued cloud environments for years. Key lapses in this case included:
- Internet-exposed SSH (port 22 open to 0.0.0.0/0), the initial entry point.
- Overly permissive IAM roles, granting broad access to Amazon Bedrock APIs.
- Lack of behavioral monitoring, which delayed detection until cryptomining activity generated network anomalies.
Darktrace’s analysis frames the attack as a near-miss lateral-movement incident. Cryptomining’s noisy network signatures made it detectable, but more sophisticated attackers could exploit the same access for credential theft, model abuse, or data exfiltration activities that may evade traditional monitoring. The incident serves as a warning: AI gateways require hardening equivalent to production identity systems, not the lighter controls applied to standard applications. Without it, the next compromise may not be so conspicuous.
Source: https://www.cybersecurity-insiders.com/ai-gateway-security-cryptomining-iam-risk/
LiteLLM cybersecurity rating report: https://www.rankiteo.com/company/litellm
"id": "LIT1783694475",
"linkid": "litellm",
"type": "Vulnerability",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'type': 'Enterprise'}],
'attack_vector': 'SSH Brute-Force',
'data_breach': {'sensitivity_of_data': 'Potential access to credentials for '
'foundation models, IAM roles, '
'application prompts, and responses'},
'date_detected': '2026-06-12',
'description': 'On June 12, 2026, cybersecurity firm Darktrace uncovered a '
'cryptomining attack targeting an internet-exposed AI gateway. '
'The compromised host, a misconfigured AWS EC2 instance '
'running LiteLLM-Proxy, was breached via SSH brute-force '
'attacks. The attack unfolded in three stages: initial '
'reconnaissance via automated SSH scanning, DNS requests to '
'cryptomining domains, and persistent outbound connections to '
'mining infrastructure. The incident underscores the risk of '
'AI gateways as high-value targets for lateral movement, given '
'their privileged access to Amazon Bedrock and IAM '
'permissions.',
'impact': {'operational_impact': 'Potential for lateral movement, model '
'abuse, or data exfiltration',
'systems_affected': 'AWS EC2 instance running LiteLLM-Proxy, '
'Amazon Bedrock access'},
'initial_access_broker': {'entry_point': 'SSH brute-force (IP: '
'145.241.123[.]102)',
'high_value_targets': 'AI gateway with access to '
'Amazon Bedrock and IAM '
'permissions'},
'investigation_status': 'Detected and contained',
'lessons_learned': 'AI gateways require hardening equivalent to production '
'identity systems. Key lapses included internet-exposed '
'SSH, overly permissive IAM roles, and lack of behavioral '
'monitoring.',
'motivation': 'Cryptomining, Potential for lateral movement/credential '
'theft/model abuse/data exfiltration',
'post_incident_analysis': {'corrective_actions': 'Restrict SSH access, '
'enforce least-privilege IAM '
'roles, implement behavioral '
'monitoring',
'root_causes': 'Internet-exposed SSH, overly '
'permissive IAM roles, lack of '
'behavioral monitoring'},
'recommendations': 'Harden AI gateways with security controls equivalent to '
'privileged access infrastructure. Implement behavioral '
'monitoring, restrict SSH access, and enforce '
'least-privilege IAM roles.',
'references': [{'source': 'Darktrace'}],
'response': {'containment_measures': 'Behavioral AI detection by Darktrace',
'enhanced_monitoring': 'Behavioral AI monitoring',
'third_party_assistance': 'Darktrace'},
'title': 'AI Gateway Compromise Highlights Persistent Cloud Threat Vectors in '
'Enterprise AI Infrastructure',
'type': 'Cryptomining Attack',
'vulnerability_exploited': 'Internet-exposed SSH (port 22 open to 0.0.0.0/0), '
'Overly permissive IAM roles'}