- Ray clusters remain vulnerable to remote code execution via unauthorized Jobs API
- Threat group “IronErn440” exploits flaws with AI-generated payloads by deploying XMRig cryptojacker
- Over 230,000 Ray servers are exposed online, up from a few thousand in 2023
Beam clusters still vulnerable to a critical severity flaw discovered years ago are being used for cryptocurrency mining, data exfiltration and even Distributed Denial of Service (DDoS) attacks, experts have warned.
Cybersecurity researchers Oligo claim this is the second major campaign to exploit the same flaw.
Ray is an open source network that helps run Python programs faster by decentralizing and distributing work across multiple machines. Its clusters are groups of computers—a master node and multiple worker nodes—that work together to run Ray tasks and workloads in a distributed and coordinated manner.
Implementation and hiding of XMRig
Back in 2023, it was discovered that Ray 2.6.3 and 2.8.0 carried a vulnerability that allowed a remote attacker to execute arbitrary code via the job submission API. However, Anyscale, the company behind the product, did not fix it, as it is designed to run in a “strictly controlled network environment”.
In other words – it is up to the users to secure their infrastructure and ensure that the bug is not abused.
But it was abused. First between September 2023 and March 2024 and today. Oligo says threat actors tracked as “IronErn440” are now using AI-generated payloads to infiltrate vulnerable clusters. By exploiting the flaw, attackers submit jobs to unauthorized Jobs API that run multi-stage Bash and Python payloads hosted on GitHub and GitLab.
These payloads deploy malware to the devices – usually the infamous XMRig cryptojacker. Although this cryptojacker is usually easy to detect (as it takes up 100% of the device’s processing power and renders it useless for pretty much anything else), the attackers tried to circumvent this problem by locking it to 60% of the processing power.
Today, more than 230,000 Ray servers are exposed to the Internet, the researchers warned, saying their number grew significantly compared to just “a few thousand” available when the vulnerability was first discovered.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
