Malicious actors are exploiting a vulnerability in the open-source AI framework Ray, turning it into a global cryptojacking operation, according to a new report from cybersecurity firm Oligo. The attackers are leveraging Ray’s orchestration features to seize compute resources for cryptocurrency mining, impacting numerous exposed Ray clusters worldwide.
Researchers at Oligo detailed how the attackers gained unauthorized access through a flaw in Ray’s Application Programming Interface (API). This vulnerability enables unauthenticated remote code execution, allowing threat actors to manipulate the framework, originally designed for automating and scaling AI compute tasks. The attackers have effectively repurposed Ray’s legitimate functions to launch a self-propagating, profitable cryptojacking scheme.
Exploiting Open-Source AI Frameworks for Cryptojacking
The exploitation of the Ray framework represents a significant evolution in threat actor tactics. Cybercriminal groups are actively battling for control of valuable AI compute resources, particularly high-end NVIDIA A100 GPUs, which are highly sought after for their cryptocurrency mining potential. Oligo researchers observed multiple groups vying for these resources, employing sophisticated evasion techniques.
Stealthy Operations and Evasion Tactics
To remain undetected, the attackers are employing several methods. They limit their CPU usage to avoid triggering standard monitoring systems. Furthermore, malicious processes are disguised as legitimate services, and GPU usage is hidden from Ray’s built-in monitoring tools. This allows them to operate stealthily while consuming premium compute power, the Oligo report states.
The potential attack surface is substantial, with Oligo researchers identifying over 200,000 exposed Ray servers online. While not all are confirmed as vulnerable or compromised, a significant portion of these servers are hosted by active startups, research institutions, and cloud-based AI environments. Some of the exposed servers are also believed to be honeypots.
The latest campaign appears to be carried out by a new set of actors, distinct from those who previously exploited a similar vulnerability in Ray in 2023. Evidence suggests these attackers may have been present in Ray environments since September 2024, migrating between development platforms like GitLab and GitHub as their activities were discovered.
The Mechanics of the Attack
Attackers gain initial access to exposed Ray nodes via the Job Submission API flaw. They then submit fraudulent tasks, disguised as legitimate commands, to Ray’s dashboard. Although the dashboard is intended for internal network use only, it is frequently exposed to the public internet, providing attackers with an entry point. This allows them to explore the network further and deploy their malicious payloads.
Instead of relying on traditional exploits or network attacks, the attackers are weaponizing Ray’s own scheduling API. They are essentially using the victim’s infrastructure as it is designed to be used, but with malicious Python code that mimics legitimate applications already running on the system. This approach leverages the victim’s own infrastructure for illicit purposes.
Once control of Ray clusters is established, the attackers target specific resources like NVIDIA A100 GPUs. They precisely calculate the resource requirements for cryptomining and submit takeover jobs accordingly. The value of these chips on cloud platforms, costing approximately $3-4 per hour, makes them attractive targets for attackers looking to profit from stolen compute resources.
Campaign Evolution and Platform Response
The ongoing attack campaign has progressed in distinct phases. Initially, attackers utilized GitLab for malware development and distribution, but this operation was shut down on November 5. Shortly thereafter, they resurfaced on GitHub, establishing new repositories. As of November 17, the campaign was still active, with attackers reportedly creating new repositories whenever their presence was detected.
GitHub stated that the company is committed to investigating reported security issues. A spokesperson confirmed that accounts violating GitHub’s Acceptable Use Policies, which prohibit content supporting malware campaigns, have been removed. Artifacts found within the obfuscated code suggest the potential use of Large Language Models in their creation.
It is important to note that the underlying API flaw, identified as CVE-2023-48022, has not been fully patched. According to its MITRE ATT&CK entry, the bug remains unaddressed. The vendor’s stance is that Ray is intended for strictly controlled internal network environments, yet users often deploy it without adhering to this warning, creating a persistent window for exploitation.
The continued weaponization of this vulnerability highlights the ongoing challenges in securing distributed AI development environments. The next steps will likely involve continued efforts by cybersecurity firms like Oligo to track and report on these evolving threats, as well as potential pressure on developers to address the CVE-2023-48022 vulnerability more comprehensively. The long-term impact on organizations utilizing Ray without adequate security measures remains a significant concern.