Three stories worth your attention this week. An AI platform vulnerability that could expose your most sensitive API credentials, some encouraging news on the ransomware enforcement front, and a breach that is a textbook case for why third-party vendor risk deserves a permanent seat at the table.

‍

Critical Vulnerability in LiteLLM

LiteLLM is a widely adopted AI gateway platform used by organisations to connect to large language models from providers including OpenAI, Anthropic, and AWS Bedrock. A critical vulnerability has been identified that allows any user — including unauthenticated users — to extract the underlying API keys of connected AI services.

The implications are significant. If exploited, an attacker gains direct access to your organisation's AI provider credentials. That means unauthorised usage at your cost, potential exposure of queries and data sent through those integrations, and a pivot point into broader infrastructure depending on how those keys are scoped.

This is not a theoretical risk. Any organisation running LiteLLM should treat this as urgent.

What to do:
Upgrade LiteLLM to the latest patched version immediately. Audit your current API key permissions and rotate any keys that may have been exposed. Review access logs for unusual activity against your AI provider accounts. If you cannot patch immediately, consider temporarily restricting network access to your LiteLLM instance.

‍

Scattered Spider: Arrests and a Guilty Plea

Scattered Spider is one of the more prominent ransomware groups operating in recent years, responsible for a string of high-profile attacks — particularly against large enterprise targets. Their preferred initial access method has been social engineering IT help desks: contacting support teams, impersonating employees, and manipulating the password reset process to gain account access. From there, they move laterally through the organisation and deploy ransomware.

This week brings some positive news on the law enforcement side. One group member has been charged and has entered a guilty plea in relation to offences connected to these campaigns. A second member was arrested after boarding a flight from Finland bound for Japan.

While this will not dismantle the group entirely, enforcement actions like this matter. They raise the operational risk for threat actors and signal continued international coordination between law enforcement agencies.

What to do:
Use this moment to review your IT help desk verification procedures. Scattered Spider's success has relied heavily on weak identity verification at the point of a password reset request. Ensure your processes require robust out-of-band confirmation before any privileged account changes are made. Awareness training that specifically covers voice phishing and help desk impersonation is also worth revisiting.

‍

The Vimeo Breach: A Third-Party Risk Case Study

Vimeo is a widely used enterprise video platform, trusted by organisations to create and share high-quality video content internally and externally. What is notable about this breach is that Vimeo itself was not the direct target. Their analytics platform — a third-party tool integrated into their environment — was compromised, and that became the entry point.

This is one of the clearest recent examples of a pattern that comes up again and again in breach investigations: you are only as secure as the vendors you connect to. A well-secured primary platform offers limited protection if the integrations built around it are not held to the same standard.

What to do:
If your organisation uses Vimeo, check for any communications regarding the scope of the breach and whether your data was affected. More broadly, treat this as a prompt to review your third-party vendor management programme. Do you have a current inventory of all third-party integrations across your environment? Are those vendors being assessed on a regular basis? Do your contracts include the right to audit and breach notification obligations? These are the questions that matter — and the answers tend to look very different before and after an incident.

‍

Stay safe — and share this with your team.