ShadowRay 2.0 Attack Uses Ray Clusters for Cryptocurrency Mining
Analysts from Oligo Security have uncovered a large-scale campaign dubbed ShadowRay 2.0. Attackers are exploiting a two-year-old RCE vulnerability in the open-source Ray framework, using it to turn AI clusters into a self-propagating botnet.
Ray Framework Background
Ray, created by Anyscale, is commonly used for developing and deploying large-scale Python applications in distributed clusters designed for tasks like machine learning, scientific computing, and data processing. Per official Anyscale statistics, the framework is used by many major companies, including Uber, Amazon, Spotify, LinkedIn, and OpenAI, which uses it to train ChatGPT.
The "Shadow Vulnerability"
The attacks observed by specialists exploit CVE-2023-48022 (CVSS score: 9.8)—a critical vulnerability discovered in 2023 that allows remote execution of arbitrary code without authentication via the Jobs API.
When information about the issue was disclosed, Anyscale developers claimed the vulnerability was minor because Ray is "not designed to run outside of a strictly controlled network environment." Per the company, the discovered flaw and the lack of authentication were more of a deliberate design choice than a bug.
Due to disagreements over whether CVE-2023-48022 constituted a vulnerability at all, the ShadowRay issue was omitted from several vulnerability databases. Researchers referred to it as a "shadow vulnerability," as many security teams worldwide were unaware they could be at risk.
However, after the first malicious campaign using ShadowRay (attacks occurred between September 2023 and March 2024), the developers promised to add authentication "in a future release." Nevertheless, patches remain unavailable, and there are now over 230,000 Ray servers exposed on the internet. Notably, during the initial malicious campaigns, there were only a few thousand.
AI-Generated Attack Campaign
Per experts from Oligo Security, a threat actor using the handle IronErn440 is using AI-generated payloads to compromise Ray clusters. The fact that the malware was not written by a human is evidenced by the code structure, comments, and error handling patterns. For example, the deobfuscated payload contained useless docstrings and echo commands.
Analysts recorded two attack waves: the first used GitLab for payload delivery (ended November 5), and the second used GitHub (ongoing since November 17). After the malicious repositories were deleted, the attackers immediately created new ones. Researchers note that this represents true "DevOps for cybercrime."
Attack Methodology
CVE-2023-48022 is exploited to submit jobs to the Jobs API and launch multi-stage bash and Python payloads. Through Ray's legitimate orchestration capabilities, the infection spreads to all nodes in the cluster.
The compromised clusters are used by attackers for various malicious activities:
Cryptocurrency Mining — XMRig mines Monero, utilizing only 60% of the CPU to hide its activity. The miners masquerade as legitimate processes (dns-filter) and terminate competing scripts, blocking other mining pools via /etc/hosts and iptables.
Data Theft — Multiple reverse shells provide attackers with access to MySQL credentials, tokens, cloud keys, proprietary AI models, and source code. For instance, 240 GB of model data and datasets were found on one compromised server.
DDoS Attacks — Attackers use Sockstress, opening a large number of TCP connections via raw sockets.
Autonomous Propagation — The clusters autonomously scan the internet for other vulnerable Ray instances, creating a self-spreading worm.
The malware establishes persistence in systems through cron jobs and systemd modifications, checking GitHub every 15 minutes for updated payloads.
Recommendations
Since patches are not yet available, specialists from Oligo and Anyscale recommend deploying Ray only in isolated networks, protecting clusters with firewalls, adding authorization to the Dashboard port (8265), and monitoring carefully for anomalous activity.
