Full Report
Oligo Security has warned of ongoing attacks exploiting a two-year-old security flaw in the Ray open-source artificial intelligence (AI) framework to turn infected clusters with NVIDIA GPUs into a self-replicating cryptocurrency mining botnet. The activity, codenamed ShadowRay 2.0, is an evolution of a prior wave that was observed between September 2023 and March 2024. The attack, at its core,
Analysis Summary
# Vulnerability: Unauthenticated Job Submission in Ray Leading to Self-Spreading Cryptomining Botnet (ShadowRay 2.0)
## CVE Details
- CVE ID: CVE-2023-48022
- CVSS Score: 9.8 (Critical)
- CWE: Missing Authentication for Critical Function (Likely CWE-287 or similar related to API access control)
## Affected Systems
- Products: Ray open-source artificial intelligence (AI) framework
- Versions: Not explicitly listed, but implied to be versions vulnerable prior to remediation efforts addressing the old design flaw.
- Configurations: Ray instances with the Job Submission API (`/api/jobs/`) exposed to an untrusted network or the public internet without authentication.
## Vulnerability Description
The vulnerability is a critical missing authentication flaw in the Ray Job Submission API (`/api/jobs/`). This allows unauthenticated remote attackers to submit malicious jobs to susceptible Ray clusters. The exploit takes control of instances, hijacks computing power (specifically targeting clusters with NVIDIA GPUs) for cryptocurrency mining (XMRig), and leverages Ray's orchestration capabilities to self-propagate recursively across other exposed Ray dashboards, forming a wormable botnet (ShadowRay 2.0). The issue stems from a long-standing design decision in Ray to operate only within isolated, trusted network environments.
## Exploitation
- Status: Exploited in the wild (Ongoing campaign codenamed ShadowRay 2.0, evolving from prior activity observed Sept 2023 - Mar 2024).
- Complexity: Not explicitly rated, but the observed multi-stage payloads, lateral movement, persistence mechanisms (cron jobs), and use of external repositories suggest **Medium** to **High** complexity for the advanced botnet operation, though initial remote code execution is likely straightforward given the unauthenticated API.
- Attack Vector: Network (via exposed Ray Job Submission API endpoint).
## Impact
- Confidentiality: High (Implied via reverse shells and potential subsequent reconnaissance/payload execution)
- Integrity: High (Installation of unauthorized software like XMRig miners, modification of system behavior via cron jobs)
- Availability: Medium to High (Resource exhaustion due to cryptomining, potential service disruption if resources are fully consumed)
## Remediation
### Patches
- The article mentions that the flaw relates to a "long-standing design decision" and suggests mitigation through configuration and tools provided by Anyscale, implying the necessity of applying vendor-specific updates related to disabling or securing the exposed API, or updating to versions where this design constraint has been appropriately enforced or patched against external access. Specific fixed versions are not listed in the provided text but follow Anyscale’s advisories regarding CVE-2023-48022.
### Workarounds
1. **Network Isolation:** Ensure Ray components, especially those exposing the Job Submission API, are only accessible within a strictly controlled, trusted network environment (the intended design posture).
2. **Firewall Rules:** Configure strict firewall rules to block all incoming traffic to the Ray dashboard IP addresses externally.
3. **Configuration Validation:** Use the official Anyscale "Ray Open Ports Checker" tool to validate cluster configuration and prevent accidental public exposure.
## Detection
- Indicators of Compromise:
- Execution of Bash or Python payloads originating from the Ray Job Submission API.
- Processes running cryptocurrency mining software (like XMRig).
- New cron jobs established on compromised hosts pulling data from public repositories (e.g., GitLab/GitHub accounts associated with the campaign).
- High, sustained CPU utilization on NVIDIA GPUs not accounted for by legitimate workloads.
- Network connections originating from compromised hosts beaconing out to attacker-controlled infrastructure.
- Detection methods and tools: Monitoring network traffic to the Ray Job Submission API (`/api/jobs/`) for unauthenticated POST requests. Scanning hosts for known cryptomining malware signatures. Utilizing vulnerability detection tools like `interact.sh` to identify publicly accessible, vulnerable Ray dashboards.
## References
- Vendor Advisory (Implied context regarding CVE-2023-48022): hxxps://www.anyscale.com/blog/update-on-ray-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
- Security Researcher Report: hxxps://www.oligo.security/blog/shadowray-2-0-attackers-turn-ai-against-itself-in-global-campaign-that-hijacks-ai-into-self-propagating-botnet
- Detection Tool: hxxps://github.com/projectdiscovery/interactsh
- Configuration Checker: hxxps://github.com/ray-project/ray-open-ports-checker