- Ray clusters remain vulnerable to remote code execution via unauthenticated Jobs API
- Threat group “IronErn440” exploits a flaw in AI-generated payloads and deploys the XMRig cryptojacker.
- More than 230,000 Ray servers are exposed online, compared to a few thousand in 2023
Ray clusters, still vulnerable to a critical severity flaw discovered years ago, are being used for cryptocurrency mining, data exfiltration and even distributed denial of service (DDoS) attacks, experts have warned.
Cybersecurity researchers Oligo say this is the second major campaign to exploit this same flaw.
Ray is an open source network that allows Python programs to run faster by decentralizing and distributing work across multiple machines. Its clusters are groups of computers – a master node and several worker nodes – that work together to run Ray tasks and workloads in a distributed and coordinated manner.
Deploy and hide XMRig
In 2023, Ray 2.6.3 and 2.8.0 were discovered to have a vulnerability that allowed a remote attacker to execute arbitrary code via the job submission API. However, Anyscale, the company behind the product, has not fixed the problem since it is designed to operate in a “strictly controlled network environment.”
In other words, it is up to users to secure their infrastructure and ensure that the flaw is not abused.
But abused it was. First between September 2023 and March 2024, and today. Oligo claims that malicious actors identified as “IronErn440” are now using AI-generated payloads to infiltrate vulnerable clusters. By exploiting the bug, attackers submit jobs to the unauthenticated Jobs API, executing multi-stage Bash and Python payloads hosted on GitHub and GitLab.
These payloads deploy malware on devices – usually the notorious XMRig cryptojacker. Although this cryptojacker is usually easily spotted (since it consumes 100% of the device’s processing power and renders it useless for virtually everything else), attackers have attempted to get around this by locking it to 60% of the processing power.
Today, more than 230,000 Ray servers are exposed to the Internet, researchers warn, saying the number has increased significantly from the “few thousand” that were available when the vulnerability was first discovered.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
