ShadowRay: First Known Attack Campaign Targeting AI Workloads Exploited In The Wild

Oligo Security researchers uncovered ShadowRay, the first known campaign exploiting CVE-2023-48022 to target Ray AI workloads, leading to remote code execution on publicly exposed Ray servers. The widespread impact includes data leakage, credential exposure, and crypto-mining across many industries, with attackers leveraging reverse shells and out-of-band notifications to stay undetected. #ShadowRay #CVE-2023-48022 #Ray #OligoSecurity #Anyscale #Interactsh

Keypoints

ShadowRay marks the first known active exploitation of AI workload infrastructure through a Ray vulnerability (CVE-2023-48022).
CVE-2023-48022 lacks authorization in Ray’s Jobs API, enabling remote code execution and was disputed by the vendor, delaying fixes.
Thousands of publicly exposed Ray clusters were compromised for months, with attackers accessing production workloads, credentials, and secrets.

Production data, database credentials, private keys, and tokens (OpenAI, HuggingFace, Slack, Stripe) were exposed or stolen.

Attacks featured crypto mining (incl. XMRig and Zephyr miners), reverse shells for persistence, and DNS-based out-of-band notification via Interactsh to evade detection.
Mitigation emphasizes securing Ray deployments, adding authorization, firewalling, and avoiding exposure of dashboards to the internet.

IoCs include specific IPs, domains, payload hashes, attacker email, wallet address, and cloud credentials, illustrating broad exfiltration potential.

MITRE Techniques

[T1190] Exploit Public-Facing Application – remote attacker to execute arbitrary code via the job submission API. Quote: ‘remote attacker to execute arbitrary code via the job submission API’
[T1059.004] Unix Shell – attackers run arbitrary commands (including bash) via Ray Jobs API. Quote: ‘including bash commands’
[T1027] Obfuscated/Compressed Files and Information – base64 encoded payload used to evade detection. Quote: ‘base64 encoded payload’
[T1003] OS Credential Dumping – attackers exposed password hashes by reading /etc/shadow. Quote: ‘password hashes … cat /etc/shadow’
[T1550.004] Use of Private Keys – private SSH keys found enabling access to more machines. Quote: ‘Private SSH keys – We have found several private SSH keys that can be used by attackers’
[T1078] Valid Accounts – attackers used credentials/private keys to move laterally among machines. Quote: ‘attackers could connect to more machines’
[T1041] Exfiltration Over C2 Channel – DNS-based exfil via Interactsh (out-of-band notification). Quote: ‘DNS query to a subdomain under oast.fun’

Indicators of Compromise

[IP Address] Reverse Shell Endpoints – 23.146.184.38, 54.176.108.174, and 2 more addresses
[Domain Name] C2/Mining Domains – clo4q41v1v85ed814bogstepb5jwkbxtj.oast.fun, bore.pub, and 5 more domains
[Domain Name] Mining Pool Endpoints – xna.2miners.com, kryptex.network, and 5 more domains
[SHA256 Hash] Reverse Shell Payload Hash – 98f0bf732ebae8f3ba250c02e02a0787a68039caa484e688e0391343eaf0b527, and 1 more
[MD5 Hash] Reverse Shell Payload – f3636232ed136fed658521682f6fa9f4, and 2 more hashes
[SHA1 Hash] Reverse Shell Payload – 8d53ade3599ca39d9ad22d9360834514e9a6c6dc, and 1 more hash
[Email Address] Attacker Email – [email protected]
[Wallet Address] Attacker Wallet – ZEPHYR3KfKQNQrfBwHtsEWyuLn1nzXvjAraxAVBuoKrKFHn3pgtqLqX96h3sWa5kP4Y2i48a4RZnbBQoivU6dQCcFTyTHDofzW55
[Credential] OpenAI Tokens – OpenAI tokens exposed on compromised machines, reported to OpenAI via bug bounty
[Credential] HuggingFace Tokens – tokens granting access to private repositories
[Credential] Slack Tokens – tokens enabling reading/sending Slack messages
[Credential] Stripe Tokens – tokens that could drain payment accounts
[Credential] SSH Keys – private keys found enabling SSH access to other cluster machines