The AI gateway has become cloud's new Tier Zero. An AI gateway is the reverse-proxy for calls between apps and models, and the one Darktrace just watched fronted Amazon Bedrock. Not because Amazon Bedrock was breached, but because the gateway now holds the keys to model invocation and the adjacent IAM control plane, and that host got owned like any other internet-reachable box.
In TechRadar's writeup of the research, an EC2 instance running LiteLLM-Proxy was reached through SSH exposed to 0.0.0.0/0. Within minutes, XMRig, the open-source Monero miner, was downloading and the box was hammering a Monero pool. The interesting part was what the host already carried: the credentials to invoke Amazon Bedrock's foundation models, and the IAM (identity-and-access management) permissions of a service account beside it. Follow-on activity from a Vietnam-traced IP tried to enumerate Amazon Bedrock and create a new IAM user — Darktrace calls that link suggestive, not proven, so the cleaner read is "attacker wanted whatever the box was holding," not "Bedrock was stolen from."
Call it the Tier-Zero Proxy: a single internet-reachable host that concentrates model invocation and cloud control-plane reach, so a basic SSH misconfig yields a blast radius no plain web app compromise can match. The fix is unglamorous — close public SSH, least-privilege the gateway's IAM role, alert on control-plane APIs — but the mental model has to change first. Operators treating the AI gateway as a commodity app are running a domain controller in a DMZ and hoping nobody notices.
Reported by Sky for Type0, from 'Cryptomining can be a lucrative post-compromise activity in cloud environments': Experts warn AI gateways connected to Amazon Bedrock are being hijacked to steal crypto. Read the original: techradar.com