Cybersecurity experts are sounding alarms about active exploitation of a critical vulnerability in Anyscale Ray, an open-source artificial intelligence (AI) platform. This unpatched flaw is being used by malicious actors to commandeer computing resources for unauthorized cryptocurrency mining activities. The vulnerability in question, identified as CVE-2023-48022, has attained a notable CVSS score of 9.8 and stems from a significant authentication issue that enables attackers to execute arbitrary code via the job submission API.
In a recent disclosure, researchers from Oligo Security, including Avi Lumelsky, Guy Kaplan, and Gal Elbaz, emphasized the severity of this breach, which has reportedly persisted since September 2023. The ongoing campaign, dubbed ShadowRay, highlights a novel threat landscape where AI workloads are specifically targeted due to weaknesses inherent in the supporting infrastructure. Institutions across various sectors, including education, biopharma, and cryptocurrency, have found themselves at risk.
Anyscale Ray is widely adopted by prominent organizations such as OpenAI, Uber, and Netflix, illustrating the platform’s critical role in modern AI and Python workloads. The reported vulnerability allows intruders to gain unfettered control over computing power and sensitive information, potentially jeopardizing confidential data and operational integrity. According to Oligo, the attacks have breached numerous Ray GPU clusters, potentially granting adversaries access to production database credentials, SSH keys, and access tokens from numerous third-party services.
The exploitation of this vulnerability is made possible due to the absence of authentication controls in key components of Ray, specifically the Dashboard and Client interfaces. Unauthorized actors exploit these weaknesses to submit jobs, retrieve classified information, and execute remote commands, which can facilitate access to the operating system across the entire Ray cluster. Anyscale has openly stated its current inaction on rectifying the vulnerability, indicating that no immediate plans exist for a fix. The company has historically designed Ray without built-in authentication, which, while a strategic choice, raises concerns considering the evolving threat landscape.
Continued monitoring has revealed that threat actors employ a variety of methods, including deploying cryptocurrency miners and reverse shells, to maintain persistent remote access to compromised systems. Moreover, attackers leverage open-source tools such as Interactsh, allowing them to operate with reduced visibility within victim networks. The researchers indicate that gaining access to a Ray production cluster can be particularly advantageous for attackers, providing a combination of valuable data and operational autonomy to monetize the attacks without being easily detected.
In response to these concerns, Anyscale has developed a tool called the Ray Open Ports Checker, aimed at helping organizations ascertain whether their clusters are vulnerable to unauthorized access. This open-source utility aids users in ensuring their configurations are secure, although it remains to be seen how effectively it can mitigate exploitation risks. Anyscale has further announced its intention to incorporate enhanced security measures into future versions of Ray, with a particular emphasis on authentication.
This incident underlines significant cybersecurity risks faced by entities operating with advanced AI frameworks. As businesses increasingly adopt AI technologies, understanding vulnerabilities and implementing robust security protocols becomes paramount. The actions of the threat actors in the ShadowRay campaign reflect tactics defined in the MITRE ATT&CK framework, including initial access through insufficient authentication and privilege escalation via successful exploitation of system components. Ensuring that these AI-driven systems run within adequately secured environments is essential for protecting sensitive data and maintaining operational continuity.
