AI Deployments Targeted in 91,000+ Attack Sessions

The rapid integration of generative AI into enterprise workflows has expanded the attack surface far beyond traditional web applications. As AI models are exposed through APIs, webhooks, and proxy layers, they inherit the same misconfiguration pitfalls that attackers have long exploited in cloud environments. This convergence means that threat actors can now apply familiar techniques—such as server‑side request forgery—to AI‑specific services, turning experimental curiosity into a disciplined reconnaissance operation.

Two distinct campaigns illustrate the evolving threat landscape. The first employed SSRF to abuse Ollama’s model‑pull feature and Twilio webhook parameters, using a consistent JA4H TLS fingerprint that points to a centralized scanning framework, likely Nuclei. The second campaign focused on large‑scale enumeration, probing more than 70 LLM endpoints—including OpenAI, Anthropic, Meta, and Google models—with innocuous queries designed to evade content filters. Remarkably, just two IP addresses generated over 80,000 sessions in eleven days, underscoring the efficiency of automated, low‑profile probing that can map an organization’s AI ecosystem without triggering alarms.

Defending AI deployments now requires the same layered approach applied to legacy infrastructure. Organizations should restrict outbound network traffic from AI servers, block known malicious JA4H fingerprints and OAST domains, and enforce strict authentication and least‑privilege access across model endpoints and proxy layers. Rate limiting, behavioral throttling, and continuous telemetry monitoring can disrupt automated enumeration, while zero‑trust architectures limit implicit trust between services. As AI becomes a core business capability, proactive hardening and incident‑response readiness will be essential to prevent reconnaissance from evolving into full‑scale exploitation.