# Attack on Amazon Bedrock-linked AI gateway highlights new cloud security risk

> Source: <https://www.csoonline.com/article/4194984/attack-on-amazon-bedrock-linked-ai-gateway-highlights-new-cloud-security-risk.html>
> Published: 2026-07-09 13:00:00+00:00

A cloud intrusion that ended with the deployment of cryptomining malware has exposed a bigger risk for enterprises: AI gateways that concentrate access to cloud identities, permissions, and foundation models in a single, highly privileged system.

Researchers from cybersecurity firm Darktrace found attackers compromising an AWS EC2 instance acting as a LiteLLM proxy for [Amazon Bedrock](https://www.infoworld.com/article/2335005/amazon-bedrock-generative-ai-service-reaches-ga.html), eventually deploying XMRig cryptomining malware, along with attempts to abuse cloud identities and AI services.

Although the attack ended in cryptomining, researchers said the bigger concern is that AI gateways centralize model access, identities, and cloud privileges, making them valuable targets.

Experts found the attack familiar and consistent with past cloud attack techniques.

“Strip off the AI branding and this is a cloud intrusion pattern we’ve been watching since at least 2018: SSH open to the internet, brute-force attempts, a commodity [XMRig](https://www.csoonline.com/article/2099039/kinsing-crypto-mining-campaign-targets-75-cloud-native-applications.html) miner, and repeated connections to a mining pool,” said [Sean Malone](https://www.linkedin.com/in/seantmalone/), CISO at BeyondTrust. “Even the AI-specific angle, stolen credentials probing Bedrock model access, has had a name since 2024: [LLMjacking](https://www.csoonline.com/article/3535433/llmjacking-how-attackers-use-stolen-aws-credentials-to-enable-llms-and-rack-up-costs-for-victims.html).”

However, Malone agreed with Darktrace researchers on the potential blast radius. “AI gateways concentrate credentials, cloud permissions, and model access into a single choke point, so a routine intrusion lands on a privileged asset,” he explained.

According to Darktrace, the compromised EC2 instance appeared to support [LiteLLM](https://www.csoonline.com/article/4149905/pypi-warns-developers-after-litellm-malware-found-stealing-cloud-and-ci-cd-credentials.html) activity and was associated with an IAM role capable of accessing Amazon Bedrock resources. While researchers could not conclusively determine the initial access vector, they said the attack followed a sequence commonly seen in cloud intrusions.

Before the miner was deployed, the instance had SSH exposed to the internet, with port 22 accessible from anywhere. Darktrace observed a high volume of inbound SSH connection attempts, largely originating from a single external IP address, indicating probable brute-force activity.

Shortly afterward, the host downloaded a ZIP archive containing XMRig cryptomining malware before repeatedly connecting to a known mining pool over HTTPS.

Darktrace stressed that it could not confirm whether the SSH activity directly led to the compromise because host-level logs were unavailable. However, the timing of the SSH exposure, miner download, and subsequent mining-pool communications strongly suggested the EC2 instance had been compromised and repurposed for unauthorized compute activity.

The disclosure also detailed suspicious IAM activity observed separately, a day later, by another AWS identity. Among the unusual actions were a “GetSendQuota” API call from an IP address in Vietnam, attempts to enumerate and invoke Amazon Bedrock foundation models, and an effort to create a new IAM user using a randomly generated username.

This behavior is commonly associated with establishing persistence following credential compromise. However, Darktrace could not link the IAM activity directly to the LiteLLM incident.

[Jason Soroko](https://www.linkedin.com/in/jason-soroko-19b41920/), senior fellow at Sectigo, said the incident’s significance lies less in the cryptominer than in the system that was compromised.

“These gateways are becoming brokers for identity, model access, prompts, logs, and policy,” he noted. “When one is exposed over SSH or backed by broad IAM permissions, it is no longer just another EC2 instance. It is a control point for AI operations.”

To protect against such attacks, Soroko added, security teams should close public admin paths, remove long-term keys where possible, scope IAM permissions, monitor Bedrock and model access patterns, and correlate workload telemetry with control-plane events.

Darktrace said it helped in the timely containment of the attack. “The cryptomining activity was received by Darktrace’s Managed Threat Detection service and reviewed by Darktrace’s SOC,” the researchers said in a blog post shared with CSO ahead of its [publication](https://www.darktrace.com/blog/when-ai-infrastructure-becomes-part-of-the-attack-surface) on Thursday. “Following review, the activity was escalated to the customer. This escalation provided the customer with timely notification of active resource abuse in the AWS environment.”
