A recent hacking campaign named "ShadowRay" has emerged, targeting an unpatched vulnerability within Ray, a widely used open-source AI framework. This exploit aims to seize computing power and expose sensitive data from numerous companies. The campaign, as reported by application security firm Oligo, has been ongoing since at least September 5, 2023, affecting various sectors including education, cryptocurrency, and biopharma.
Ray, developed by Anyscale, serves as an open-source framework designed to scale AI and Python applications across a cluster of machines for distributed computational workloads. With over 30,500 stars on GitHub, Ray finds widespread usage among organizations such as Amazon, Spotify, LinkedIn, and others, making it a prime target for attackers seeking to infiltrate systems.
In November 2023, Anyscale disclosed five vulnerabilities within Ray, addressing four (CVE-2023-6019, CVE-2023-6020, CVE-2023-6021, and CVE-2023-48023) while the fifth, CVE-2023-48022, a critical remote code execution flaw, remained unresolved due to the lack of authentication. Anyscale justified this decision, stating it was consistent with Ray's security boundaries and deployment best practices, though they intend to implement authentication in a future version.
However, this lack of authentication has created an opportunity for hackers who have exploited the CVE-2023-48022 bug in unsecured environments. Despite its classification as a bug rather than a vulnerability by Anyscale, the exploit has been actively leveraged by attackers, unbeknownst to many development teams and static scanning tools.
Oligo's report indicates that hundreds of publicly exposed Ray servers fell victim to exploitation via CVE-2023-48022, granting attackers access to sensitive information such as AI models, environment variables, production database credentials, and cloud environment access tokens. Some attackers utilized the compromised servers' powerful graphics cards for cryptocurrency mining operations, while others established persistence through reverse shells, enabling the execution of arbitrary code.
In response to these findings, Oligo notified affected companies and assisted with remediation efforts. To safeguard Ray deployments, it's imperative to operate within a secured environment by enforcing firewall rules, implementing authorization for the Ray Dashboard port, and continually monitoring for anomalies. Additionally, organizations should avoid default settings, such as binding to 0.0.0.0, and leverage security-enhancing tools to fortify cluster defences.