AI Platform Hijacked for Crypto Mining: The ShadowRay Campaign Exposed

Beware of ShadowRay: Hackers mine crypto using an AI platform’s unpatched flaw. It’s a digital gold rush for cybercriminals, with Anyscale Ray’s vulnerability exposing big names to data leaks and power hijacks.

Hot Take:

Well, well, well, if it isn’t another day in the cybersecurity saga where the baddies have struck gold – and no, not the shiny kind, but the kind that screams ‘free GPU power for crypto mining!’ Yes, the open-source AI platform Anyscale Ray has basically rolled out the red carpet for attackers, thanks to a vulnerability that’s been left on the welcome mat for seven whole months. It’s like leaving your front door open and being surprised when the neighbors come over to borrow some Wi-Fi… forever.

Key Points:

  • AI platform Anyscale Ray’s unpatched bug (CVE-2023-48022) is a VIP pass for attackers to mine cryptocurrency and snoop on data.
  • ShadowRay, the campaign exploiting the flaw, has been partying in sectors like education and biopharma since September 2023.
  • Big names like OpenAI and Netflix use Ray, making this vulnerability the unwanted gift that keeps on giving (to cybercriminals).
  • Anyscale won’t fix the flaw currently, advocating for “controlled network environments” instead, which is like saying ‘just dodge the raindrops’ during a storm.
  • The attackers are using everything from crypto miners to reverse shells and even an open-source tool named Interactsh to be the ninjas of the cyber world.
Cve id: CVE-2023-48022
Cve state: PUBLISHED
Cve assigner short name: mitre
Cve date updated: 11/28/2023
Cve description: Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment

Need to know more?

AI's Achilles Heel

Imagine finding out that your favorite AI and Python workload trainer has been moonlighting as a crypto mining botnet for the past seven months. The cybersecurity trio from Oligo Security just blew the whistle on Ray's open-source platform, which has been flexing its vulnerabilities to the tune of unauthorized job submissions, data leaks, and remote code executions. The flaw in question, CVE-2023-48022, is so critical it's making headlines faster than a celebrity scandal.

Free-for-All Framework

Ray's been the cool kid on the block, helping the who's who of the tech world build and scale AI workloads. It's like the popular club where everyone wants to be on the list. Except, in this case, being on the list means you're potentially handing over the keys to your computational kingdom thanks to the missing authentication bug that's more inviting than a 'please rob me' sign.

Too Cool for School (Security)

Anyscale, the brains behind Ray, seems to have a rather chill approach to security, akin to leaving your car unlocked in a sketchy neighborhood and hoping for the best. They've essentially said, "No fix for you!" and put the onus on the platform providers to make sure Ray doesn't get into trouble. Until they decide to add authentication in some distant future update, it's on users to make sure Ray doesn't throw wild parties with unauthorized guests.

The ShadowRay Shindig

Party crashers have been having a field day with Ray GPU clusters, snatching everything from database passwords to private SSH keys. Imagine if the Ocean's Eleven crew could just waltz into a casino's vault without anyone blinking; that's the level of heist we're talking about. With ShadowRay, attackers are in and out like ghosts, leaving only a trail of mined cryptocurrency and elevated cloud access permissions in their wake.

Under the Radar with Interactsh

The ShadowRay attackers are not just your run-of-the-mill villains; they're using Interactsh, an open-source tool, to stay stealthier than a cat burglar on a velvet floor. They're infiltrating production clusters and making it rain (cryptocurrency, that is) while staying as invisible as a chameleon in a rainbow. It's a jackpot for them, and a face-palm moment for the cybersecurity world.

Tags: AI platform vulnerability, Anyscale Ray framework, cryptocurrency mining exploitation, CVE-2023-48022, Sensitive Data Leakage, ShadowRay campaign, unauthorized code execution