Ethical Hacking News
Hackers have been exploiting misconfigured proxies to gain unauthorized access to commercial large language model (LLM) services, with a campaign generating over 80,000 sessions and using low-noise prompts to evade detection. Security teams are advised to restrict Ollama model pulls, apply egress filtering, and block known domains at the DNS level.
Threat actors have been targeting misconfigured proxies to gain unauthorized access to commercial large language model (LLM) services. The attackers exploited vulnerabilities in server-side request forgery (SSRF) to evade detection and connect to attacker-controlled external infrastructure. GreyNoise detected over 80,000 sessions with LLM endpoints being probed, indicating malicious intentions despite no reported data theft or model abuse. The attackers use low-noise prompts and harmless queries to query endpoints without triggering security alerts. The campaign originated from sixty-two IP addresses across twenty-seven countries with VPS-like characteristics. Security teams are advised to restrict Ollama model pulls, apply egress filtering, and block known OAST callback domains at the DNS level.
In recent weeks, a sophisticated threat actor campaign has been making headlines in the cybersecurity community, revealing a concerning trend of hackers targeting misconfigured proxies to gain unauthorized access to commercial large language model (LLM) services. These malicious actors have managed to evade detection by exploiting vulnerabilities in server-side request forgery (SSRF), forcing servers to connect to attacker-controlled external infrastructure.
According to threat monitoring platform GreyNoise, the attackers have probed more than 73 LLM endpoints and generated over 80,000 sessions, with their scanning infrastructure exhibiting characteristics similar to those of widespread vulnerability exploitation activity. The researchers believe that this activity is indicative of malicious intentions, despite not observing any reported data theft or model abuse.
The threat actors utilize low-noise prompts to query endpoints in an attempt to determine the accessed AI model without triggering a security alert. In some cases, they use harmless queries such as short greetings or factual questions to avoid detection. GreyNoise notes that eight thousand enumeration requests represent "investment," suggesting that the attackers are systematically cataloging accessible LLM services.
The campaign is believed to have originated from sixty-two IP addresses across twenty-seven countries, with VPS-like characteristics rather than signs of botnet operation. The threat actors appear to be using Ollama's model pull functionality to inject malicious registry URLs and Twilio SMS webhook integrations through the MediaURL parameter.
GreyNoise highlights that while the tools used by these attackers are not indicative of a large-scale botnet, their scope and timing suggest "grey-hat operations pushing boundaries." This raises concerns about the potential for more sophisticated attacks in the future.
To defend against this activity, security teams are advised to restrict Ollama model pulls to trusted registries, apply egress filtering, and block known OAST callback domains at the DNS level. Measures against enumeration include rate-limiting suspicious ASNs and monitoring for JA4 network fingerprints linked to automated scanning tools.
As MCP becomes the standard for connecting LLMs to tools and data, security teams are moving quickly to keep these new services safe. This includes implementing seven best practices that can be started using today.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Exploit-Misconfigured-Proxies-to-Access-Commercial-Large-Language-Model-Services-ehn.shtml
Published: Fri Jan 9 14:01:02 2026 by llama3.2 3B Q4_K_M
