Campaign or TTP Overview

On March 15, 2026, InfoSec communities discovered that attackers began exploiting the BerriAI LiteLLM’s misconfigured SQL handling. This vulnerability primarily affects organizations using the LiteLLM proxy to manage and access large language models. Without the proper sanitation of input data, the gateway API allows injection attacks that compromise database integrity.

Victims have predominantly been tech companies within the United States and Europe that utilize AI models for customer interaction and data processing. Despite the lack of specific attribution, the sophistication and speed of the attack suggest involvement from a professional, possibly state-sponsored, group.

The LiteLLM proxy weakness has become a clear vector for unauthorized database interactivity, jeopardizing data confidentiality and integrity.

How It Was Built

The attackers employed a precise and well-crafted scheme to exploit the vulnerability. Their approach leveraged remote access to injectable points in the LiteLLM HTTP API. The SQL injection was introduced through a legitimate API call, originating from a disguised IP, with the following typical injection pattern:

GET /api/query?input='; DROP TABLE users; --&format=json HTTP/1.1

Host: target-berriai.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

Accept: application/json

The payload employed an SQL command designed to exfiltrate or delete user data. By exploiting the LiteLLM’s failed input validation, the attackers could navigate through tables, capturing login credentials and session tokens crucial for further unauthorized access escalation.

The delivery mechanism revolved around spear-phishing emails with subject lines such as “Critical Update Required: Immediate Action Needed” or “Your Account Review”, urging recipients to click embedded links redirecting them to the compromised API endpoint.

Consequently, database tables storing user credentials, transactional logs, and operational metadata faced a significant risk of exposure and manipulation.

Why It Worked

• Imitating Legitimate Traffic: The attack traffic was masked to appear as regular API queries, making it difficult for basic filters and heuristics to discern the malicious payload from ordinary interactions.
• Trust Exploitation: Emails were crafted to appear as internal communications from IT departments, leveraging elements like recognized branding and verbiage to exploit trust.
• Attack Surface Familiarity: The attackers had evidently spent considerable time analyzing the API’s structure, identifying specific injection points that could be accessed without authorization and with minimal disruption to legitimate traffic flows.

Operator Takeaways

Penetration testers and red team operators must take a close look at API interactions during assessments. The obfuscation of SQL injection attempts within seemingly routine API calls demonstrates the importance of rigorous input validation checks during security evaluations. Operators can consider the following strategies:

• Develop payloads that blend into normal traffic, mimicking genuine user activities.
• Use social engineering techniques to bolster phishing email credibility.
• Identify injection points within APIs, particularly those that lack robust input sanitation.

Do’s and Don’ts

• Do: Precisely Target API Endpoints: Maximize familiarity with API flows to develop realistic and compelling injection payloads that evade typical security barriers.
• Don’t: Rely Solely on Obvious Attack Vectors: Avoid predictable entry points; explore subtle nuances in API behavior that provide less noticeable yet equally potent access.
• Do: Utilize Realistic Lures: Construct phishing content that deeply reflects the target organization’s internal communication style, increasing the likelihood of successful engagement.
• Don’t: Neglect Defensive Advancements: While emulating real-world tactics, keep abreast of evolving security landscapes to adapt techniques accordingly.

References

CISA’s Known Exploited Vulnerabilities Catalog

Security Week

Related Reading

• What is SQL Injection?
• Exploiting Out-of-bounds Write Vulnerabilities in Phishing Campaigns
• Local Privilege Escalation in Phishing Campaigns: Technical Analysis of Dirty Frag
• Exploiting SQL Injection for Data Harvesting in Phishing Campaigns

Educational Purpose: This content is provided for awareness and defensive purposes only. Understanding attacker methodologies helps individuals and organizations protect themselves.