Researchers are tracking a self-replicating botnet campaign, ShadowRay 2.0, that is targeting internet-facing Ray clusters, the open-source distributed computing framework used to run AI and other workloads. The attackers exploit a two-year-old, unpatched vulnerability (CVE-2023-48022) to take control of exposed clusters.
The malware uses the exposed Ray dashboards to submit jobs without authentication, allowing it to spread automatically across clusters worldwide. In addition to cryptomining and data theft, the compromised machines are being used to launch DDoS attacks against external websites and other infrastructure.
Oligo Security researchers describe how the attackers leverage Ray’s orchestration features to pivot to other nodes in the cluster and propagate the payload. The campaign has targeted organizations globally, with clusters running expensive GPUs among the most affected.
“The attackers have turned legitimate cluster management features into tools for a self-propagating operation,” the researchers said. The compromised systems can run jobs across nodes, establish reverse shells, and maintain persistence while keeping CPU usage below 60% to avoid detection.
Despite takedowns on GitLab and GitHub, the operation continues, illustrating its automated nature. With more than 230,000 Ray clusters exposed online, the attack surface is significant.
Mitigation requires limiting access to Ray dashboards, implementing firewall rules, and adding authentication where possible. Anyscale, the original developer of Ray, provides a Ray Open Ports Checker to help identify exposed clusters.
ShadowRay 2.0 shows that misconfigured compute clusters can be weaponised for DDoS at scale. Organizations running Ray should assume that exposed dashboards will be targeted automatically by this self-replicating botnet.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.
For more information, visit https://fastnetmon.com