AI Models Under Siege: Why Attackers Are Suddenly Hunting Machine Learning Infrastructure

Page content

AI Models Under Siege: Why Attackers Are Suddenly Hunting Machine Learning Infrastructure

I’ve been watching some concerning trends emerge over the past month, and frankly, they’re keeping me up at night. While everyone’s been focused on the usual suspects—phishing campaigns, ransomware, the typical Tuesday chaos—there’s a new hunting ground that’s caught attackers’ attention: AI models and the infrastructure that runs them.

The Great AI Model Hunt Begins

Starting March 10th, security researchers at the SANS Internet Storm Center noticed something interesting in their honeypot data. Attackers began systematically probing for AI models and related services—specifically targeting Claude, OpenClaw, Hugging Face, and other machine learning platforms. What makes this particularly noteworthy isn’t just that it’s happening, but the coordinated timing across multiple DShield sensors.

This isn’t random scanning. When you see probe activity start on the same day across different sensors and continue for weeks, that tells me we’re looking at organized reconnaissance. Someone—or more likely, several groups—decided AI infrastructure was worth their time and resources.

Think about what this means for a moment. These aren’t script kiddies poking around for fun. Professional threat actors are investing time to map out AI deployments, which suggests they see real value in these targets. Whether that’s stealing trained models, poisoning datasets, or finding ways to manipulate AI outputs, the implications are significant.

When Insiders Go Rogue at Kraken

Speaking of concerning trends, the Kraken cryptocurrency exchange situation perfectly illustrates why insider threats remain our biggest nightmare. A cybercrime group is now trying to extort Kraken by threatening to release videos showing internal systems that handle client data.

Here’s what makes this particularly nasty: they’re not just claiming to have data—they’re demonstrating access to internal systems through video evidence. That level of documentation suggests either a very sophisticated external breach or, more likely, insider involvement. When attackers can casually record internal systems, we’re dealing with someone who had legitimate access and plenty of time to operate undetected.

The cryptocurrency space has always been a high-value target, but this incident highlights how insider threats can bypass even robust perimeter security. You can have the best firewalls, intrusion detection, and endpoint protection in the world, but if someone with legitimate access decides to go rogue, those controls become largely irrelevant.

Microsoft’s Massive Patch Tuesday Reality Check

Meanwhile, Microsoft just dropped what experts are calling the second-largest Patch Tuesday ever with 165 vulnerabilities patched. But here’s what really caught my attention: more than half of these are privilege elevation bugs, and two of them are zero-days that were already being exploited in the wild.

Privilege escalation vulnerabilities are particularly dangerous because they’re often the second stage of an attack chain. An attacker gets initial access through phishing or a web application vulnerability, then uses privilege escalation to move from a limited user account to domain admin. When we see this many privilege escalation fixes in a single update, it suggests attackers have been busy finding ways to climb the permission ladder in Windows environments.

The SharePoint zero-day is especially concerning because SharePoint is ubiquitous in enterprise environments. It’s not just a collaboration platform—it’s often deeply integrated with Active Directory, contains sensitive business documents, and has extensive permissions throughout the organization. A compromised SharePoint server can be a goldmine for attackers looking to establish persistence and move laterally.

What This Means for Our Defense Strategy

These incidents paint a clear picture of where attackers are focusing their efforts. AI infrastructure is becoming a legitimate target, insider threats continue to be our Achilles’ heel, and privilege escalation remains a critical attack vector.

For AI deployments specifically, we need to start thinking about security from the ground up. That means proper access controls around model repositories, monitoring for unusual API usage patterns, and treating AI infrastructure with the same security rigor we apply to traditional critical systems.

The Kraken incident reinforces why we need better insider threat detection. This isn’t just about monitoring for malicious behavior—it’s about understanding normal access patterns and identifying when legitimate users start acting outside their typical scope.

And with Microsoft’s patch bonanza, the message is clear: if you’re running Windows infrastructure and haven’t patched yet, you’re essentially leaving the front door open. The fact that two of these were already being exploited means attackers had working exploits before we even knew the vulnerabilities existed.

The threat landscape isn’t just evolving—it’s expanding into new territories while simultaneously exploiting the fundamentals we thought we had covered. Time to double-check those patch schedules and take another hard look at our insider threat programs.

Sources