Oligo Security has warned of ongoing attacks exploiting a two-year-old security flaw in the Ray open-source artificial intelligence (AI) framework to turn infected clusters with NVIDIA GPUs into a self-replicating cryptocurrency mining botnet.
The activity, codenamed ShadowRay 2.0, is an evolution of a prior wave observed between September 2023 and March 2024. The attack, at its core, exploits a critical missing authentication bug (CVE-2023-48022, CVSS score: 9.8) to take control of susceptible instances and hijack their computing power for illicit cryptocurrency mining using XMRig. The vulnerability remains unpatched due to a long-standing design decision, consistent with Ray’s development best practices, which requires it to be run in an isolated network and act upon trusted code.
The campaign involves submitting malicious jobs, with commands ranging from simple reconnaissance to complex multi-stage Bash and Python payloads, to an unauthenticated Ray Job Submission API (“/api/jobs/”) on exposed dashboards. The compromised Ray clusters are then used in spray and pray attacks to distribute the payloads to other Ray dashboards, creating a worm that can essentially spread from one victim to another.
The campaign uses GitLab and GitHub to host and deliver the malware. Attackers created repositories with names like “ironern440-group” and “thisisforwork440-ops” to stash their malicious payloads. Both accounts are no longer accessible. However, the cybercriminals have responded to takedown efforts by creating a new GitHub account, illustrating their tenacity and ability to quickly resume operations.
The payloads, in turn, leverage the platform’s orchestration capabilities to pivot laterally to non-internet-facing nodes, spread the malware, create reverse shells to attacker-controlled infrastructure for remote control, and establish persistence by running a cron job every 15 minutes that pulls the latest version of the malware from GitLab to re-infect the hosts. The threat actors “have turned Ray’s legitimate orchestration features into tools for a self-propagating, globally cryptojacking operation, spreading autonomously across exposed Ray clusters,” researchers Avi Lumelsky and Gal Elbaz said.
The campaign likely uses large language models (LLMs) to generate the GitLab payloads. This assessment is based on the malware’s “structure, comments, and error handling patterns.” The infection chain includes an explicit check for victims located in China; if detected, it delivers a region-specific version of the malware. It’s also designed to eliminate competition by scanning running processes for other cryptocurrency miners and terminating them – a tactic widely adopted by cryptojacking groups to maximize the mining gains from the host.
To evade detection, attackers employ various stealth tactics. These include disguising malicious processes as legitimate Linux kernel worker services and limiting CPU usage to approximately 60%. Investigators believe the campaign may have been active since September 2024.
While Ray is meant to be deployed within a “controlled network environment,” the findings show that users are exposing Ray servers to the internet, opening a lucrative attack surface for bad actors who can identify which Ray dashboard IP addresses are exploitable using the open-source vulnerability detection tool interact.sh. More than 230,500 Ray servers are publicly accessible.
Anyscale, the original developer of Ray, has released a “Ray Open Ports Checker” tool to validate cluster configurations and prevent accidental exposure. Other mitigation strategies include configuring firewall rules to restrict unauthorized access and adding authorization on top of the Ray Dashboard port (8265 by default).
Oligo Security also reported that attackers deployed “sockstress,” a TCP state exhaustion tool, targeting production websites. This suggests that the compromised Ray clusters are not only used for cryptomining but also for denial-of-service (DoS) attacks, potentially against rival mining pools or other infrastructure.
Mitigation Steps
- Utilize Anyscale’s “Ray Open Ports Checker” tool to verify proper cluster configuration and identify accidental exposure.
- Implement robust firewall rules to restrict access to Ray servers from untrusted networks.
- Add an authorization layer on top of the Ray Dashboard port (default 8265) to prevent unauthorized access.
- Regularly review logs for suspicious activity related to Ray Job Submission API calls or unexpected processes.
- Scan for and remove any unauthorized cryptocurrency mining software on your systems that might indicate a ShadowRay 2.0 infection.
Adhering to these measures helps protect Ray deployments from ongoing exploitation.