Cybersecurity researchers warn that threat actors are actively exploiting a "disputed" and unpatched vulnerability in an open source artificial intelligence (AI) platform called Anyscale Ray to hijack computing power for illicit cryptocurrency mining.
"This vulnerability allows attackers to take over companies' computing power and exfiltrate sensitive data," said Oligo Security researchers Avi Lumelsky, Guy Kaplan and Gal Elbaz. saying in a release on Tuesday.
"This flaw has been under active exploitation for the past seven months, affecting sectors such as education, cryptocurrency, biopharma, and more."
The campaign, ongoing since September 2023, is codenamed shadowray by the Israeli application security company. It also marks the first time that AI workloads have been attacked in the wild due to deficiencies underpinning the AI infrastructure.
Lightning is a open source and fully managed computing framework enabling organizations to build, train, and scale AI and Python workloads. It consists of a core distributed runtime and a set of AI libraries to simplify the ML platform.
It is used by some of the biggest companies, including OpenAI, Uber, Spotify, Netflix, LinkedIn, Niantic, and Pinterest, among others.
The security vulnerability in question is CVE-2023-48022 (CVSS Score: 9.8), a critical missing authentication bug that allows remote attackers to execute arbitrary code via the Job Submission API. Bishop Fox reported this along with two other failures in August 2023.
The cybersecurity company said that the lack of authentication controls in two Ray components, Dashboard and Client, could be due exploited by "unauthorized actors to freely submit jobs, delete existing jobs, retrieve sensitive information, and achieve remote command execution."
This makes it possible to gain OS access to all nodes in the Ray cluster or attempt to retrieve the credentials of the Ray EC2 instance. Anyscale, in an advisory published in November 2023, said it does not plan to fix the issue at this time.
"Ray not having built-in authentication is a long-standing design decision based on how Ray's security boundaries are drawn and is consistent with Ray implementation best practices, although we intend to offer authentication in a future release such as part of a defense. -Depth strategy", the company noted.
Also precautions in its documentation that it is the platform provider's responsibility to ensure that Ray runs in "sufficiently controlled network environments" and that developers can access Ray Dashboard securely.
Oligo said it observed the shadow vulnerability being exploited to breach hundreds of Ray GPU clusters, potentially allowing threat actors to get their hands on a trove of sensitive credentials and other information from the compromised servers.
This includes production database passwords, private SSH keys, access tokens related to OpenAI, HuggingFace, Slack, and Stripe, the ability to poison models, and elevated access to cloud environments from Amazon Web Services, Google Cloud, and Microsoft Azure.
In many of the cases, it has been discovered that the infected instances were hacked with cryptocurrency miners (e.g., XMRig, NBMiner, and Zephyr) and reverse shells for persistent remote access.
The unknown attackers behind ShadowRay also used an open source tool called Interact fly under the radar.
"When attackers get their hands on a Ray production cluster, it's a jackpot," the researchers said. "Valuable enterprise data, plus remote code execution, make it easy to monetize attacks, all while remaining in the shadows, completely unnoticed (and, with static security tools, undetectable)."
