ShadowRay 2.0 is the new guise for ongoing cyberattacks targeting the Ray open-source artificial intelligence (AI) framework. Security researchers at Oligo Security have identified a sophisticated campaign that weaponizes vulnerable Ray clusters, particularly those utilizing NVIDIA GPUs, to establish a self-replicating cryptocurrency mining botnet. The primary vulnerability being exploited, CVE-2023-48022, carries a critical CVSS score of 9.8, highlighting its severe impact.
These attacks evolve from previous waves observed between September 2023 and March 2024, with the attackers leveraging a critical unauthenticated API endpoint to gain control of susceptible Ray cluster instances. Their ultimate goal is to hijack computing power for illicit mining of Monero (XMR) using the XMRig miner. This persistent threat underscores the need for enhanced security awareness and proactive measures within the cloud computing ecosystem.
ShadowRay 2.0: Exploiting a Two-Year-Old Ray Framework Vulnerability
The core of the ShadowRay 2.0 campaign hinges on the exploitation of a two-year-old security flaw, CVE-2023-48022, which addresses a missing authentication mechanism in the Ray Job Submission API. By submitting malicious jobs to unauthenticated Ray dashboards, attackers can inject commands ranging from initial reconnaissance to complex, multi-stage Bash and Python payloads. This attack vector transforms legitimate infrastructure management tools into potent weapons for unauthorized resource utilization.
The vulnerability remains unpatched due to a deliberate design choice within Ray’s development practices, which assumes operation within an isolated, trusted network environment. This fundamental assumption, while fostering flexibility, creates an exploitable attack surface when deployments deviate from these best practices and expose Ray servers to the public internet.
A Self-Propagating Cryptocurrency Mining Botnet
The attackers employ a clever, worm-like strategy to spread their malicious payload. Once a Ray cluster is compromised, the attackers use its orchestration capabilities to spray and pray the malicious payloads to other exposed Ray dashboards. This allows the malware to autonomously propagate from one victim to another, creating a rapidly expanding network of compromised machines.
Further complicating matters, the threat actors have demonstrated remarkable resilience and adaptability. Initially utilizing GitLab and GitHub repositories with deceptive names like “ironern440-group” to host their malware, these accounts have been taken down. However, the cybercriminals have swiftly responded by creating new GitHub accounts, demonstrating their commitment to maintaining operational continuity.
Once inside a compromised system, the payloads leverage Ray’s legitimate orchestration features to achieve several critical objectives. These include lateral movement to non-internet-facing nodes, further malware propagation, the establishment of reverse shells for attacker-controlled remote access, and robust persistence mechanisms. A cron job, configured to run every 15 minutes, periodically pulls the latest malware version from GitLab, ensuring that compromised hosts remain infected even after remediation attempts.
Sophisticated Evasion and Regional Targeting
Researchers Avi Lumelsky and Gal Elbaz noted that the threat actors have effectively weaponized Ray’s legitimate orchestration features, turning them into tools for a “self-propagating, globally cryptojacking operation.” Evidence suggests the attackers may have employed large language models (LLMs) in the creation of their GitLab payloads, given the malware’s structural characteristics, embedded comments, and error-handling patterns.
A particular point of interest in the infection chain is an explicit check to determine if the victim is located within China. If so, a region-specific version of the malware is deployed. Furthermore, the attackers actively eliminate competition by scanning for and terminating other cryptocurrency mining processes running on the infected hosts, a common tactic employed to maximize mining profits.
The campaign also exhibits sophisticated evasion techniques, including disguising malicious processes as legitimate Linux kernel worker services and deliberately limiting CPU usage to approximately 60%. This subtle approach aims to avoid detection by system administrators and security monitoring tools, allowing the cryptojacking operation to persist undetected. It is estimated that this campaign may have been active since September 2024.
Exposed Ray Servers: A Lucrative Attack Surface
Despite Ray’s intended deployment within controlled network environments, a significant number of users are exposing Ray servers directly to the internet. Oligo Security’s research identified over 230,500 publicly accessible Ray servers, presenting a vast and lucrative attack surface for malicious actors. The open-source vulnerability detection tool interact.sh has been instrumental in identifying these exploitable Ray dashboard IP addresses.
This widespread exposure creates a fertile ground for threat actors to establish their cryptojacking operations. The ability to compromise these systems en masse, coupled with the self-propagating nature of the malware, allows for rapid scaling of illicit cryptocurrency mining activities.
Wider Implications and Mitigation Strategies
Beyond cryptojacking, the compromised Ray clusters are being weaponized for additional malicious purposes. Oligo Security observed the deployment of “sockstress,” a TCP state exhaustion tool, targeting production websites. This indicates that the compromised Ray clusters are being repurposed for denial-of-service (DoS) attacks, potentially against competing mining pools or other critical infrastructure.
This expansion transforms the operation into a multi-purpose botnet, offering attackers additional monetization vectors. They can rent out DDoS capacity or use it to eliminate rivals. The targeting of port 3333, commonly used by mining pools, strongly suggests attacks aimed at disrupting or undermining rival mining infrastructure.
Anyscale, the original developer of Ray, has released a “Ray Open Ports Checker” tool to assist users in validating their cluster configurations and prevent accidental exposure. Additional mitigation strategies recommended by security experts include implementing stringent firewall rules to restrict unauthorized access and enforcing authentication on the Ray Dashboard port (defaulting to 8265). Proactive network segmentation and security hardening remain paramount in protecting against such sophisticated threats.
The ongoing evolution of ShadowRay 2.0 highlights the dynamic nature of cyber threats within cloud computing environments. As attackers continue to discover and exploit vulnerabilities, users of open-source frameworks like Ray must remain vigilant and prioritize robust security practices. The potential for these compromised clusters to evolve into fully-fledged multi-purpose botnets underscores the need for continuous monitoring and rapid response to emerging threats.