Cryptomining Attack Exploits AI Gateway Vulnerabilities in AWS

Cryptomining Attack Exploits AI Gateway Vulnerabilities in AWS

First seen 9 Jul 2026, 14:11 UTC CsoonlineDarkreading 85% similarity 67.5

Article Content

Browse articles
ThreatCluster

A recent cyber incident involved attackers compromising an AWS EC2 instance acting as an AI gateway for Amazon Bedrock, leading to the deployment of XMRig cryptomining malware. Researchers from Darktrace identified that the attackers gained access through brute-force login attempts on an exposed SSH port. The compromised instance was linked to an IAM role with significant permissions, raising concerns about potential data access and model manipulation. Although the immediate outcome was cryptomining, experts warn that AI gateways centralize access to sensitive identities and resources, making them attractive targets for more severe attacks. The incident reflects a broader trend of cloud security risks associated with AI technologies. Darktrace noted suspicious IAM activity following the initial breach, indicating attempts to establish persistence in the compromised environment.

Key Points: • Attackers exploited an AWS EC2 instance acting as an AI gateway, deploying XMRig malware. • Initial access likely gained through brute-force SSH login attempts on an exposed port. • AI gateways centralize sensitive access, increasing risks of data theft and model manipulation.

ThreatCluster AI

Timeline

2026-07-09
Cryptomining malware deployed
Attackers compromised an AWS EC2 instance acting as an AI gateway, deploying XMRig malware after gaining access.
Darkreading
2026-07-09
Brute-force login attempts detected
High volume of inbound SSH connection attempts were observed, indicating probable brute-force activity leading to the compromise.
Csoonline
2026-07-09
Suspicious IAM activity reported
Following the breach, unusual IAM actions were detected, including attempts to create new users and access Amazon Bedrock models.
Csoonline

Community

Browse all →