A global campaign dubbed ShadowRay 2.0 hijacks exposed Ray Clusters by exploiting an old code execution flaw to turn them into a self-propagating cryptomining botnet.
Developed by Anyscale, the Ray open-source framework allows building and scaling AI and Python applications in a distributed computing ecosystem organized in clusters, or head nodes.
According to researchers at runtime security company Oligo, a threat actor they track as IronErn440 is using AI-generated payloads to compromise vulnerable Ray infrastructure that is reachable over the public internet.
They say that the malicious activity goes beyond cryptocurrency mining, and in some cases, it includes data and credentials theft, as well as deploying distributed denial-of-service (DDoS) attacks.
New campaign, same (unfixed) flaw
ShadowRay 2.0 is the continuation of another ShadowRay campaign, also exposed by Oligo, which ran between September 2023 and March 2024.
Oligo researchers found that an old critical vulnerability tracked as CVE-2023-48022 was exploited in both campaigns. The security issue did not receive a fix as Ray was designed to run in a trusted environment described as a "strictly-controlled network environment."
However, the researchers say that there are more than 230,000 Ray servers available on the internet, a huge spike from "the few thousand we observed during our initial ShadowRay discovery."
In a report today, Oligo says that it observed two attack waves, one that abused GitLab for payload delivery and terminated on November 5, and one that abuses GitHub, which has been ongoing since November 17.
Malicious GitHub repository
... continue reading