Cybersecurity researchers are issuing a warning that malicious actors are actively exploiting an unpatched and “disputed” vulnerability in the Anyscale Ray open-source artificial intelligence (AI) platform in order to commandeer computing power for the purpose of illicit cryptocurrency mining.

“This vulnerability permits attackers to seize control of the organization’s computing resources and expose sensitive information,” Oligo Security researchers Avi Lumelsky, Guy Kaplan, and Gal Elbaz disclosed on Tuesday.

CISA warns of active hacker activity targeting a Microsoft SharePoint vulnerability.

“This flaw has been under active exploitation for the last seven months, affecting sectors like education, cryptocurrency, biopharma, and more.”

Codenamed ShadowRay, the Israeli application security firm has been monitoring the campaign since September 2023. Furthermore, it marks the first time that vulnerabilities in the AI infrastructure itself have publicly compromised AI workloads.

Ray is a fully managed, open-source computation framework that enables enterprises to construct, train, and expand Python and AI workloads. The ML platform includes a collection of AI libraries and a core distributed runtime.

Prominent organizations such as OpenAI, Uber, Spotify, Netflix, LinkedIn, Niantic, and Pinterest, among others, utilize it.

The critical missing authentication flaw in question is CVE-2023-48022 (CVSS score: 9.8), which grants arbitrary code execution via the job submission API to remote attackers. Bishop Fox documented it in August 2023, along with two additional deficiencies.

Two Ray components, Dashboard and Client, lack authentication controls, according to the cybersecurity firm, which means “unauthorized actors could freely submit jobs, delete existing jobs, retrieve sensitive information, and execute remote commands.”

This enables an endeavor to acquire operating system access to every node in the Ray cluster or retrieve the credentials for a Ray EC2 instance. Anyscale published an advisory in November 2023, stating that the company currently has no plans to address the issue.

“That Ray does not have authentication built in is a long-standing design decision based on how Ray’s security boundaries are drawn and consistent with Ray deployment best practices, though we intend to offer authentication in a future version as part of a defense-in-depth strategy,” according to the organization.

According to the documentation, the platform provider must also guarantee that Ray operates in “sufficiently controlled network environments” and that developers have secure access to the Ray Dashboard.

Oligo reported spotting the exploitation of the shadow vulnerability in order to compromise hundreds of Ray GPU clusters, which could have allowed the attackers to obtain a wealth of sensitive credentials and other data from compromised servers.

Google Provides Chrome Users with Enhanced Real-Time URL Protection

The aforementioned items comprise credentials for production databases, private SSH keys, access tokens associated with Slack, Stripe, OpenAI, HuggingFace, and Slack, the capability to taint models, and enhanced privileges to Amazon Web Services, Google Cloud, and Microsoft Azure cloud environments.

Researchers have discovered that attackers used reverse shells and cryptocurrency miners (such as XMRig, NBMiner, and Zephyr) to gain persistent remote access on a significant number of the compromised instances.

ShadowRay’s unidentified assailants have additionally employed the open-source utility Interactsh to evade detection.

“A Ray production cluster represents an enormous reward for attackers,” the researchers stated. “Valuable company data plus remote code execution makes it easy to monetize attacks—aall while remaining in the shadows, totally undetected (and, with static security tools, undetectable).”

source