Hackers target misconfigured proxies

Hackers target misconfigured proxies to access paid LLM services www.bleepingcomputer.com/news/secu… Threat actors are systematically hunting for misconfigured proxy servers that could provide access to commercial large language model (LLM) services. In an ongoing campaign that started in late December, the attackers have probed more than 73 LLM endpoints and generated over 80,000 sessions. According to threat monitoring platform GreyNoise, the threat actors use low-noise prompts to query endpoints in an attempt to determine the accessed AI model without triggering a security alert. GreyNoise says in a report that over the past four months, its Ollama honeypot caught a total of 91,403 attacks that are part of two distinct campaigns. One operation started in October and is still active, with a spike of 1,688 sessions over 48 hours around Christmas. It exploits server-side request forgery (SSRF) vulnerabilities that allow the actor to force a server to connect to attacker-controlled external infrastructure.