Hackers are actively exploiting a vulnerability in the open-source AI framework Ray, the researchers warned. This tool is commonly used for developing and deploying large-scale Python applications designed for tasks such as machine learning, scientific computing, and data processing.
According to official statistics from Ray developer Anyscale, the framework is used by many large companies, including Uber, Amazon, Spotify, LinkedIn, and OpenAI, which uses it for ChatGPT training.
Researchers from the Israeli company Oligo Security found that thousands of publicly available Ray servers around the world were compromised due to the vulnerability CVE-2023-48022, which the company gave the name ShadowRay.
Vulnerability CVE-2023-48022 was discovered back in 2023 (along with four other problems), but initially it was not considered a serious threat, so the release of patches for it was not in a hurry. According to NVD, the bug allows a remote attacker to execute arbitrary code via the Task Submission API — an interface used by the framework to send computational tasks or tasks for execution.
Anyscale claimed that the vulnerability is minor, since Ray "is not intended for use outside of a strictly controlled network environment." According to the company, the detected error and lack of authentication were more likely a well-thought-out design decision, rather than a bug.
Due to controversy over whether CVE-2023-48022 is a vulnerability in general, the ShadowRay issue did not make it to several vulnerability databases at all. Oligo Security calls it a "shadow vulnerability", as many information security teams around the world did not even know that they could be at risk.
In fact, this bug allows attackers to take control of the computing power of the victim companies and steal confidential data. Among the victims of the attacks on CVE-2023-48022 are organizations from a wide variety of industries, including medical companies, video analytics firms, biopharmaceuticals, as well as elite educational institutions.
At the same time, some of the affected devices were hacked seven months ago, and hackers stole a lot of confidential data through the hacked servers. For example, database access credentials were stolen, which allowed attackers to download complete databases without being noticed. In other cases, attackers may have made changes to the database or encrypted them using ransomware.
Other stolen information includes password hashes, Stripe and Slack tokens, AI models, environment variables, and so on.
Oligo Security says that a typical AI environment contains "a lot of sensitive information," which makes it an attractive target for hackers. In addition, AI models usually run on expensive and powerful machines, which also makes the computing power they use an excellent target for attackers.
During the analysis, experts found hundreds of compromised GPU clusters, each of which contained many nodes. At times, attackers used some of them to mine cryptocurrencies, installing XMRig, NBMiner, and the Java miner Zephyr on their machines.
The total cost of compromised machines and their computing power is estimated at almost a billion dollars, judging by the compromised clusters discovered by Oligo Security in recent weeks.
Currently, to ensure the security of Ray deployments, it is recommended to work in a secure environment, do not ignore firewall rules, add authorization to the Ray Dashboard port and constantly monitor anomalies. In addition, you should avoid using standard settings, such as binding to 0.0.0.0, and use tools that increase the security level of clusters.
According to official statistics from Ray developer Anyscale, the framework is used by many large companies, including Uber, Amazon, Spotify, LinkedIn, and OpenAI, which uses it for ChatGPT training.
Researchers from the Israeli company Oligo Security found that thousands of publicly available Ray servers around the world were compromised due to the vulnerability CVE-2023-48022, which the company gave the name ShadowRay.
Vulnerability CVE-2023-48022 was discovered back in 2023 (along with four other problems), but initially it was not considered a serious threat, so the release of patches for it was not in a hurry. According to NVD, the bug allows a remote attacker to execute arbitrary code via the Task Submission API — an interface used by the framework to send computational tasks or tasks for execution.
Anyscale claimed that the vulnerability is minor, since Ray "is not intended for use outside of a strictly controlled network environment." According to the company, the detected error and lack of authentication were more likely a well-thought-out design decision, rather than a bug.
Due to controversy over whether CVE-2023-48022 is a vulnerability in general, the ShadowRay issue did not make it to several vulnerability databases at all. Oligo Security calls it a "shadow vulnerability", as many information security teams around the world did not even know that they could be at risk.
In fact, this bug allows attackers to take control of the computing power of the victim companies and steal confidential data. Among the victims of the attacks on CVE-2023-48022 are organizations from a wide variety of industries, including medical companies, video analytics firms, biopharmaceuticals, as well as elite educational institutions.
At the same time, some of the affected devices were hacked seven months ago, and hackers stole a lot of confidential data through the hacked servers. For example, database access credentials were stolen, which allowed attackers to download complete databases without being noticed. In other cases, attackers may have made changes to the database or encrypted them using ransomware.
Other stolen information includes password hashes, Stripe and Slack tokens, AI models, environment variables, and so on.
Oligo Security says that a typical AI environment contains "a lot of sensitive information," which makes it an attractive target for hackers. In addition, AI models usually run on expensive and powerful machines, which also makes the computing power they use an excellent target for attackers.
During the analysis, experts found hundreds of compromised GPU clusters, each of which contained many nodes. At times, attackers used some of them to mine cryptocurrencies, installing XMRig, NBMiner, and the Java miner Zephyr on their machines.
The total cost of compromised machines and their computing power is estimated at almost a billion dollars, judging by the compromised clusters discovered by Oligo Security in recent weeks.
Currently, to ensure the security of Ray deployments, it is recommended to work in a secure environment, do not ignore firewall rules, add authorization to the Ray Dashboard port and constantly monitor anomalies. In addition, you should avoid using standard settings, such as binding to 0.0.0.0, and use tools that increase the security level of clusters.
