New ShadowRay Campaign Targets Ray AI Framework in Global Attack

An unpatched vulnerability is exposing the Ray AI framework to the “ShadowRay” attack!
New ShadowRay Campaign Targets Ray AI Framework in Global Attack

Discover the ShadowRay campaign exploiting CVE-2023-48022 in the Ray AI framework, risking thousands of companies. Attackers hijack resources, mine crypto, and steal data, impacting education, finance, and healthcare. Major users include Uber, Amazon, and Netflix – Urgent patch advised.

Recent revelations from the Oligo research team have shed light on a troubling development in cybersecurity. Dubbed “ShadowRay” by the researchers, it represents the first documented instance of an active attack campaign targeting AI workloads within the widely utilized Ray open-source AI framework.


The core of the issue lies in a critical vulnerability, known as CVE-2023-48022, which has been a subject of contention and remains unpatched. This vulnerability exposes thousands of companies and their AI infrastructure to exploitation, allowing malicious actors to hijack computing resources and potentially leak sensitive data.

Shockingly, this security vulnerability has been actively exploited for the past seven months, impacting various sectors including education, cryptocurrency, and biopharma.

According to the technical findings stated in Oligo Security’s blog post shared with ahead of publication on Tuesday, the exploit has led to the compromise of numerous Ray servers worldwide.

These compromised machines, some of which have been under attack for over half a year, pose a significant threat to the integrity and security of sensitive data. Attackers have been able to obtain valuable insights from command history stored on these machines, potentially exposing critical production secrets.

“As of now, Oligo has found hundreds of compromised clusters. Each cluster consists of many nodes, which are machines connected to the cluster over the network. Most nodes have GPUs, which are leveraged by attackers for cryptocurrency mining, making this infrastructure an even bigger target for attacks. In other words, attackers choose to compromise these machines not only because they can obtain valuable sensitive information, but because GPUs are very expensive and difficult to obtain, especially these days.”

Oligo Security

Who Uses Ray?

Currently, Ray boasts 30,000 stars on GitHub, indicating a feature enabling users to bookmark repositories of interest or utility, akin to “liking” content on social media platforms.

Furthermore, Ray finds application in production environments across some of the globe’s leading organizations, such as Ant Group, an affiliate company of the Chinese conglomerate Alibaba Group, Uber, Amazon, LinkedIn, Doordash, Netflix, Spotify, Pinterest, and OpenAI, etc.

Expert Weighing In

John Bambenek, President at Bambenek Consulting, emphasized the inherent challenges in defending against such attacks, particularly within AI environments. He highlighted the ongoing struggle to establish robust threat detection mechanisms, noting that the current landscape lacks comprehensive visibility. With attackers increasingly targeting data-rich environments, the need for proactive measures to safeguard AI workloads has never been more pressing.

AI has been sprung on environments and we are still struggling with getting basic frameworks in place to start detecting threats and attacks. We have pieces, however, there is no way to know if this is the first attack as we still lack a notion of how to get complete visibility. That said, it’s clear attackers know full well this is a blind spot and anything with lots of data will be attractive targets.

As organizations grapple with the implications of ShadowRay, caution and proactive security measures are important. The Oligo research team has urged all entities utilizing Ray to conduct thorough reviews of their environments, identify any potential vulnerabilities, and remain vigilant for signs of suspicious activity.

In today’s world, where data is incredibly valuable, it’s more crucial than ever to protect against the constantly changing dynamics of cybersecurity threats.

  1. NIST Cybersecurity Framework 2.0: Guide for All Orgs
  2. AI Scams, Human Trafficking Fuel Global Cybercrime Surge
  3. Linux, Windows, macOS Hit By “Alchimist” Attack Framework
  4. ChatGPT Plugins Exposed to Critical Flaws, Risked User Data
  5. Flaws in QuickBlox Framework Expose Millions of User Records
Related Posts