A recent investigation reveals that cybercriminals have exploited Ray, a popular open-source AI framework, redirecting its resources for unauthorized cryptocurrency mining on a global scale. The exploitation targets a security flaw in Ray’s API, which allows attackers to execute unauthenticated remote code, effectively taking control of critical compute infrastructure. Organizations relying on Ray—including startups, research labs, and AI cloud environments—now face increased risk as hackers leverage these powerful systems for personal gain. Despite warnings to secure Ray for internal use, many continue to deploy it on publicly accessible networks, making them easy targets for sophisticated attackers. This ongoing campaign not only impacts operational costs but also threatens the integrity and availability of essential AI technologies.
Incidents involving Ray previously made headlines for similar vulnerabilities, but this campaign marks a shift in both scale and attacker sophistication. Earlier attacks often used direct exploits or common vulnerabilities, whereas current hackers have focused on manipulating Ray’s orchestration features for stealthier and more efficient cryptojacking. The persistence of the underlying flaw (CVE-2023-48022) and a lack of decisive vendor action have intensified the risk, as prior efforts did little to prevent these sophisticated infiltrations. The attackers have demonstrated adaptability, switching development platforms from GitLab to GitHub as earlier actions by security teams forced takedowns, indicating an escalating contest over valuable GPU resources in the cloud.
How Did Attackers Compromise Ray and Its Infrastructure?
Attackers accessed exposed Ray servers by exploiting the Job Submission API, sending fraudulent jobs through Ray’s dashboard to distribute malware. These servers, sometimes cloud-hosted or maintained by research labs and startups, were inadvertently left open to the public. By using Ray’s own scheduling and orchestration tools—technologies originally designed to manage computing resources for AI and data processing—hackers operated largely undetected. Oligo researchers described the technique as using Ray infrastructure as intended but for malicious operations.
What Impact Has the Attack Had on AI Compute Resources?
The cryptojacking campaign has significantly affected those utilizing Ray by diverting premium hardware, particularly NVIDIA A100 GPUs, for unauthorized cryptocurrency mining. Attackers tailored their job submissions to match the available hardware, maximizing gain while evading monitoring tools. Competition between cybercriminal groups and legitimate users over compute resources was observed, with techniques like CPU usage limiting and process disguise employed to avoid detection.
How Are Platforms and Vendors Responding to Security Concerns?
Security platforms like GitHub have responded by removing accounts linked to malware activities and affirming their dedication to security. A spokesperson for GitHub stated,
“In response to malicious activity, we have removed the accounts that violate GitHub’s Acceptable Use Policies, which prohibit content that supports malware campaigns.”
However, the core API vulnerability remains unresolved, with the vendor disputing the need for a patch on the grounds that Ray should only run in secured networks. Oligo researchers emphasize that this advice is frequently overlooked:
“In practice however, users often deploy Ray without heeding this warning, which creates an extended window for exploitation, evidenced by its continued and expanded weaponization by attackers in the wild.”
Evidence uncovered by researchers suggests the attackers have used obfuscation tools and code generated by Large Language Models to further mask their activities. Their adaptability is seen in their migration from one development platform to another, as previous repositories were removed after being flagged for malicious activity. Despite these countermeasures, the campaign continues, highlighting the difficulties of safeguarding widely adopted open-source environments like Ray against persistent, coordinated threats.
Organizations operating AI infrastructure dependent on open platforms such as Ray should closely evaluate their internal deployment practices and avoid exposing sensitive interfaces to the public internet. While Ray’s vendor maintains the system is intended for controlled environments, real-world trends show that misconfiguration continues to present significant opportunities for attackers. Efforts to fully patch vulnerabilities or provide more robust defaults could reduce future risks, but responsibility also falls on users to mitigate exposure through network segmentation and vigilant monitoring. The ongoing incidents underscore the growing tension between rapid AI adoption and the challenges of maintaining adequate cybersecurity in high-performance computing environments.
