Posted in

How Hackers Are Actively Probing AI Systems at Scale

by Rakesh0

Artificial intelligence has rapidly moved from experimentation to production‑critical infrastructure. But as organizations race to deploy large language models (LLMs), inference APIs, and AI orchestration tools, attackers are keeping pace—and exploiting the gaps.

Security researchers have documented over 91,000 malicious attack sessions targeting AI deployments between October 2025 and January 2026, signaling a clear escalation in AI‑focused threat activity. The attacks span server‑side request forgery (SSRF) exploitation and systematic reconnaissance of LLM endpoints, exposing weaknesses in how organizations configure, expose, and monitor AI services.

Captured through GreyNoise’s global honeypot infrastructure, the activity reveals that AI environments are no longer niche targets—they are now part of mainstream offensive security campaigns.

In this article, we break down:

  • The two major AI attack campaigns observed in the wild
  • How attackers exploit AI infrastructure without triggering alerts
  • Why LLM endpoints are becoming high‑value reconnaissance surfaces
  • Practical defenses to reduce exposure and detect abuse

Why AI Infrastructure Is Attractive to Attackers

AI deployments often combine:

  • Internet‑exposed APIs
  • High‑trust service‑to‑service communication
  • Broad outbound network access
  • Expensive and rate‑limited commercial model APIs

This creates a perfect storm where misconfigurations can lead to:

  • Credential and API key abuse
  • Unauthorized access to paid AI resources
  • Internal network leak paths
  • AI model misuse at scale

From an attacker’s perspective, AI environments offer both data value and operational leverage.

Campaign One: Exploiting SSRF to Force Servers to Phone Home

Understanding the SSRF Attack Pattern

The first observed campaign centered on server‑side request forgery (SSRF)—a class of vulnerabilities that allows attackers to coerce servers into making unauthorized outbound connections.

In AI and automation platforms, SSRF is particularly dangerous because:

  • Outbound traffic is often unrestricted
  • Integrations regularly fetch external resources
  • Callback behavior blends into normal operations

Targeted Vectors: Ollama and Twilio

The attackers focused on two primary integration points:

Ollama Model Pull Abuse

  • Malicious registry URLs were injected into Ollama deployments
  • Target systems were forced to retrieve model manifests from attacker‑controlled servers
  • This enabled callback verification and environment fingerprinting

Twilio SMS Webhook Manipulation

  • Attackers abused MediaUrl parameters
  • Triggered HTTP requests to adversary infrastructure
  • Confirmed SSRF reachability and network egress behavior

The campaign peaked during the Christmas period, generating 1,688 malicious sessions in just 48 hours—suggesting automated tooling operating against large target sets.

Attack Infrastructure Analysis: Not a Botnet

Analysis of the campaign revealed:

  • 62 source IP addresses
  • Distributed across 27 countries
  • Infrastructure consistent with VPS‑based tooling, not commodity botnets

Notably, attackers relied heavily on ProjectDiscovery’s OAST (Out‑of‑Band Application Security Testing) infrastructure—a toolset commonly used by security researchers to validate SSRF and callback vulnerabilities.

While this suggests potential grey‑hat or bug bounty activity, the scale, coordination, and targeting of production systems raise serious operational security concerns.

Campaign Two: Reconnaissance of LLM Model Endpoints

A More Concerning Development

The second campaign represents a more mature and strategically dangerous phase of AI exploitation.

Launched on December 28, 2025, this operation targeted 73+ LLM endpoints, conducting systematic reconnaissance of exposed or misconfigured AI model APIs.

Scale and Precision

Key characteristics:

  • 80,469 attack sessions over 11 days
  • Orchestrated from just two IP addresses
  • Over 4 million GreyNoise sensor hits
  • Highly consistent request patterns

The operators weren’t attempting to exploit immediately—instead, they were trying to identify usable AI access paths quietly.

What the Attackers Were Looking For

The probes targeted:

  • Misconfigured reverse proxies
  • Forgotten internal test endpoints
  • Exposed API gateways
  • AI services unintentionally accessible from the internet

The goal appears to have been free or stealth access to commercial AI APIs, potentially for:

  • Cost laundering
  • Model abuse
  • Downstream exploitation and resale

Model and API Coverage

The reconnaissance tested compatibility across:

  • OpenAI‑compatible APIs
  • Google Gemini formats

And across all major model families:

  • GPT‑4o
  • Claude
  • Llama
  • DeepSeek
  • Gemini
  • Mistral
  • Qwen
  • Grok

This breadth strongly suggests industrial‑scale enumeration, not casual experimentation.

Low‑Noise Probing Techniques

The attackers deliberately used innocuous, non‑triggering prompts, such as:

“How many states are there in the United States?”

These queries:

  • Confirm model responsiveness
  • Avoid content‑moderation alerts
  • Mimic legitimate health checks or user traffic

Combined with standard fingerprinting techniques, this allowed attackers to map AI exposure without raising alarms.

Threat Intelligence Signals: Professional Operators

Infrastructure analysis linked the two IP addresses to:

  • Historical CVE exploitation activity
  • Coordinated scanning campaigns
  • Tooling associated with reconnaissance‑first attack pipelines

The behavioral consistency strongly indicates professional threat operators, not hobbyists.

This is reconnaissance designed to feed future exploitation, not immediate impact.

Why This Matters to Enterprises

These campaigns highlight several uncomfortable truths:

  • AI endpoints are now attack surfaces, not just APIs
  • Reconnaissance can happen without exploitation signals
  • Traditional WAFs often miss SSRF and AI probing
  • Cost, data, and access risks converge in AI platforms

Organizations deploying AI without security architecture are effectively advertising unmanaged assets to attackers.

Recommended Defensive Measures

Immediate Actions

✅ Enforce strict model pull allow‑lists
✅ Apply egress filtering to block unauthorized callbacks
✅ Rate‑limit requests from suspicious ASNs
✅ Monitor for unusual outbound HTTP/DNS activity

Detection Enhancements

  • Block known OAST callback domains at DNS level
  • Alert on rapid probing across multiple LLM endpoints
  • Use behavioral detection for API enumeration patterns

Strategic Controls

  • Apply Zero Trust principles to AI services
  • Require authentication on all model endpoints
  • Segment AI workloads from internal management planes
  • Treat AI APIs as high‑cost, high‑abuse‑risk assets

Framework and Risk Context

From a defense framework perspective, these attacks align with:

  • MITRE ATT&CK – Reconnaissance
  • NIST CSF – Identify, Protect, Detect
  • OWASP Top 10 for LLM Applications

Failure to secure AI infrastructure can lead to:

  • Financial loss
  • Data leakage
  • Regulatory exposure
  • Reputational damage

Expert Insight: AI Security Is Entering Its Reconnaissance Era

What we are witnessing is not random scanning—it is methodical intelligence gathering against AI systems.

Attackers are:

  • Learning how AI is deployed
  • Identifying where controls are weak
  • Cataloging misconfigurations for later use

This mirrors the early stages of cloud exploitation a decade ago—before defenders caught up.

Frequently Asked Questions (FAQs)

Were these AI attacks successful?

The activity focused primarily on reconnaissance and callback validation, not confirmed exploitation—but this is often the first stage of larger campaigns.

Are these attacks limited to large enterprises?

No. Smaller organizations often have weaker controls and are frequently targeted during wide enumeration campaigns.

Why is SSRF so effective against AI platforms?

Because AI systems frequently allow outbound connections for model pulls, integrations, and webhooks.

Can traditional security tools detect this?

Not reliably. Many probes are low‑noise and application‑aware, requiring contextual monitoring.

Is this activity likely to increase?

Yes. As AI adoption grows, AI‑specific attack tooling will follow.

Conclusion: AI Security Must Catch Up to AI Adoption

The detection of 91,000+ AI‑focused attack sessions confirms that attackers have already moved ahead of many defenders.

AI systems are being:

  • Actively enumerated
  • Quietly mapped
  • Prepared for future exploitation

For security teams, the message is clear:

AI without security architecture is an exposed attack surface.

Now is the time to:

  • Inventory AI deployments
  • Lock down integrations
  • Monitor for silent reconnaissance
  • Treat AI platforms as critical infrastructure
Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *