There has been a hacking attack on a widely used open-source AI framework called Ray, which hackers have exploited to gain unauthorized access to servers and hijack their resources, as a result of an unpatched vulnerability. It has been documented that the hacking campaign dubbed ShadowRay has been active since September 5, 2023, and is affecting sectors such as education, crypto-currency, and biotechnology. 

This is one of the most free and open-source solutions for AI and Python applications that have been developed by Anyscale which helps them scale across a cluster of computers for distributed computing tasks using Ray. With over 30,500 stars on GitHub, it has been used by organizations like Amazon, Spotify, LinkedIn, Instacart, Netflix, Uber, and OpenAI to train ChatGPT globally. 

According to security researchers, threat actors actively exploit an unpatched vulnerability in an open-source artificial intelligence (AI) platform named Anyscale Ray to steal computing power and mine illicit cryptocurrencies. Threat actors have reportedly exploited this vulnerability for quite some time. 

The report of application security firm Oligo says that these attacks have been occurring since at least September 5, 2023, and have targeted industries such as education, cryptocurrency, biotechnology, and others. According to Anyscale, Ray is an open-source framework that enables distributed computation workloads to be scaled across a cluster of machines using artificial intelligence and Python. 

A cybersecurity researcher has warned that hackers may have breached hundreds of companies by attacking open-source software known as Ray, which can scale artificial intelligence models. This framework has been used by several organizations around the world, including Amazon, Spotify, LinkedIn, Instacart, Netflix, Uber, and OpenAI, who have used it to train ChatGPT in the past. It has accumulated more than 30,500 stars on GitHub, and it is used by several organizations. 

Active exploitation is underway As of November 2023, Anyscale published five Ray vulnerabilities, of which four were fixed, namely, CVE-2023-6019, CVE-2023-6020, CVE-2023-6021, and CVE-2023-48023. They failed to fix the fifth bug even though it was a critical remote code execution flaw, tracked as CVE-2023-48022. According to them, this was due to a long-standing design decision which did not allow authentication to work.

A specific description of the flaw is provided by Anyscale, who stated that the flaw could only be exploited in deployments which did not follow the recommendations provided in the project's documentation, which specified that the use of Ray must be restricted to a strictly controlled network environment. 

In addition, Anyscale believes that these flaws are not vulnerabilities, but rather bugs since the Anyscale platform is designed to execute code in a distributed manner. Even though the CVE-2023-48022 flaw was not classified as a critical one, the lack of authentication provided hackers with an opportunity to exploit it in insecure environments, which has made the vulnerability more vulnerable.

It was found by Oligo that CVE-2023-48022 was used to compromise hundreds of exposed Ray servers, which allowed attackers to gain access to sensitive information such as AI models, environment variables, database credentials, and access tokens for cloud environments. Cryptocurrency mining operations were sometimes carried out using the powerful graphics cards, which were installed on such compromised systems. 

The other attack vectors used reverse shells to establish persistence in the compromised environments, and this was carried out using pseudo-terminals that are based on Python to execute arbitrary code. Oligo provided remediation assistance to many companies after those findings were made and alerted them of the breach. 

To ensure Ray deployments are secure, it is essential to enforce firewall rules in a manner that prevents unauthorized access, add authorization to the Ray Dashboard port, and monitor for anomalies continuously. Furthermore, default settings such as bind to 0.0.0.0 should also be avoided, and tools should be utilized to enhance cluster security to achieve these goals.