Attackers Probing Popular LLMs Looking for Access to APIs: Report
None
<p>Threat actors for several weeks have been probing more than 70 large language models (LLMs) in hopes of finding misconfigured proxy servers that might leak access to commercial APIs in the latest example of hackers targeting AI infrastructure.</p><p>According to a security researcher with GreyNoise, the vendor’s Ollama honeypot infrastructure grabbed 91,403 attack sessions between October and this month, generated primarily by two distinct campaigns that “reveal how threat actors are systematically mapping the expanding surface area of AI deployments.”</p><p>The campaign that involved the dozens of top-tier LLMs – from OpenAI’s GPT-4o and its variants and Anthropic’s Claude Sonnet, Opus, and Haiku models to Meta’s Llama, Google’s Gemini, xAI’s Grok, and DeepSeek-R1 – started December 28 and lasted 11 days, generating 80,469 sessions, Bob Rudis, vice president of data science at GreyNoise, <a href="https://www.greynoise.io/blog/threat-actors-actively-targeting-llms" target="_blank" rel="noopener">wrote in a report</a>.</p><p>“The attack tested both OpenAI-compatible API formats and Google Gemini formats,” Rudis wrote. “Test queries stayed deliberately innocuous with the likely goal to fingerprint which model actually responds without triggering security alerts.”</p><p>The probing originated from two IP addresses that were associated with the exploitation of more than 200 vulnerabilities, including the high-profile React2Shell security flaw – tracked as<a href="https://nvd.nist.gov/vuln/detail/CVE-2025-55182" target="_blank" rel="noopener"> CVE-2025-55182</a> – in React Server Components and <a href="https://nvd.nist.gov/vuln/detail/cve-2023-1389" target="_blank" rel="noopener">CVE-2023-1389</a>, a command injection vulnerability in TP-Link’s Archer AX21 Wi-Fi 6 routers.</p><h3>React2Shell Targeted Again</h3><p>The maximum-severity React2Shell bug has been the target of a <a href="https://securityboulevard.com/2025/12/attackers-worldwide-are-zeroing-in-on-react2shell-vulnerability/" target="_blank" rel="noopener">wide range of bad actors</a> since it was disclosed on December 3, apparently including those behind the campaign detected by GreyNoise. The researchers tracked more than 4 million sensor hits generating from the attacks.</p><p>Among the prompts used by the hackers with the LLMs included “hi” – which occurred 32,716 times – “How many states are there in the United States?” (27,778 times), and “How many states are there in the United States? What is today’s date? What model are you?” (17,979).</p><p>Rudis wrote that it is a “professional threat actor conducting reconnaissance. The infrastructure overlap with established CVE scanning operations suggests this enumeration feeds into a larger exploitation pipeline. They’re building target lists.”</p><p>“Eighty thousand enumeration requests represent investment,” he wrote. “Threat actors don’t map infrastructure at this scale without plans to use that map. If you’re running exposed LLM endpoints, you’re likely already on someone’s list.”</p><h3>Exploiting SSRF Flaws</h3><p>The other attack lasted longer, running from October into this month, with a sharp spike over the Christmas holiday, reaching 1,688 attack sessions in 48 hours, Rudis wrote.</p><p>“The … campaign exploited server-side request forgery vulnerabilities [SSRF] – tricks that force your server to make outbound connections to attacker-controlled infrastructure,” he wrote.</p><p>The bad actors targeted two areas, the first being the pull functionality in Ollama’s model, where they injected malicious registry URLs that forced servers to make HTTP requests to the attackers’ infrastructure.</p><p>The second area targeted was Twilio SMS webhook integrations to manipulate parameters of MediaURL, a web standard for media that points directly to a specific media asset, such as an image, video, or audio file. The goal is to trigger outbound connections, he wrote.</p><p>The bad actors used ProjectDiscovery’s OAST (Out-of-band Application Security Testing) infrastructure that uses callback validation to confirm a successful SSRF exploitation.</p><h3>Likely Grey-Hat Experts</h3><p>GreyNoise security researchers noted that a single JA4H signature was found in 99% of the attacks, which indicated that the hackers were using shared automation tools, likely Nuclei, an open source scanner for automated and large-scale web security testing.</p><p>The 62 source IPs that were spread across 27 countries had consistent fingerprints, which Rudis wrote indicated there was a VPS-based infrastructure behind the campaign rather than a botnet.</p><p>He said the campaign was likely the work of security researchers or bug bounty hunters, noting that OAST callbacks are standard techniques when researching vulnerabilities. However, the scale and the timing of the rapid jump over Christmas suggested that grey-hat security experts – who operate in an ambiguous middle ground between white-hat ethical and black-hat malicious hackers – are pushing boundaries, Rudis wrote.</p><h3>Configure Ollama, Block OAST</h3><p>Organizations need to configure Ollama to accept models only from trusted registries, noting that egress filtering prevents SSRF callbacks from getting to the attacker’s infrastructure, and detect enumeration patterns.</p><p><strong>“</strong>Alert on rapid-fire requests hitting multiple model endpoints,” Rudis wrote. “Watch for the fingerprinting queries: ‘How many states are there in the United States? and ‘How many letter r …’”</p><p>They also need to block OAST at DNS and monitor JA4 fingerprints to detect automation tools like those used in the campaign to target infrastructure.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/01/attackers-probing-popular-llms-looking-for-access-to-apis-report/" data-a2a-title="Attackers Probing Popular LLMs Looking for Access to APIs: Report"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fattackers-probing-popular-llms-looking-for-access-to-apis-report%2F&linkname=Attackers%20Probing%20Popular%20LLMs%20Looking%20for%20Access%20to%20APIs%3A%20Report" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fattackers-probing-popular-llms-looking-for-access-to-apis-report%2F&linkname=Attackers%20Probing%20Popular%20LLMs%20Looking%20for%20Access%20to%20APIs%3A%20Report" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fattackers-probing-popular-llms-looking-for-access-to-apis-report%2F&linkname=Attackers%20Probing%20Popular%20LLMs%20Looking%20for%20Access%20to%20APIs%3A%20Report" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fattackers-probing-popular-llms-looking-for-access-to-apis-report%2F&linkname=Attackers%20Probing%20Popular%20LLMs%20Looking%20for%20Access%20to%20APIs%3A%20Report" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fattackers-probing-popular-llms-looking-for-access-to-apis-report%2F&linkname=Attackers%20Probing%20Popular%20LLMs%20Looking%20for%20Access%20to%20APIs%3A%20Report" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>