ShadowRay 2.0: How Ray Cluster Flaws Fueled a Cryptomining Botnet
Executive Summary
In June 2024, cybersecurity researchers identified a coordinated global attack campaign dubbed ShadowRay 2.0 targeting exposed Ray clusters—open-source distributed computing environments widely used in AI and machine learning workloads. Attackers exploited an unpatched remote code execution vulnerability in Ray's dashboard service, gaining unauthorized access to cloud and on-premises clusters. Once inside, adversaries deployed self-spreading cryptomining malware, turning infected clusters into part of a large-scale botnet that harnessed high-performance compute resources for illicit cryptocurrency mining, causing potential performance degradation, elevated cloud bills, and risk of further lateral movement.
This campaign demonstrates the growing threat surface posed by AI and data infrastructure, as adversaries increasingly automate the exploitation of software supply chain and configuration weaknesses. The incident highlights the urgency of securing east-west traffic, enforcing least privilege, and maintaining continuous vulnerability management in distributed and cloud-native environments.
Why This Matters Now
With the rapid adoption of AI platforms and distributed compute solutions like Ray, exposed management interfaces and poor segmentation are becoming a prevalent avenue for large-scale, automated attacks. Organizations must act immediately to secure cloud-native and research workloads as attackers shift focus to these high-value resources, which often lack hardened security controls.
Attack Path Analysis
Attackers exploited an exposed Ray cluster vulnerability for initial access, gaining remote code execution on cloud resources. They escalated privileges within the compromised environment to gain greater control over workloads. Subsequently, the adversaries moved laterally to discover and compromise additional nodes and clusters. The threat actors established command and control channels to orchestrate cryptomining payload deployment and coordinate botnet activity. While exfiltration of sensitive data is not confirmed, outbound traffic patterns emerged as cryptomining operations communicated with external mining pools. The primary impact was unauthorized cryptomining, service disruption, and resource theft within affected cloud environments.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited an unpatched code execution flaw in internet-exposed Ray clusters to gain unauthorized access.
Related CVEs
CVE-2023-48022
CVSS 9.8Anyscale Ray versions 2.6.3 and 2.8.0 allow remote attackers to execute arbitrary code via the job submission API due to lack of authentication.
Affected Products:
Anyscale Ray – 2.6.3, 2.8.0
Exploit Status:
exploited in the wildCVE-2025-34351
CVSS 9.8Anyscale Ray version 2.52.0 has an insecure default configuration where token-based authentication for management interfaces is disabled, allowing remote code execution.
Affected Products:
Anyscale Ray – 2.52.0
Exploit Status:
exploited in the wildCVE-2025-62593
CVSS 9.4Ray AI Compute Engine versions prior to 2.52.0 contain a remote code execution vulnerability exploitable via Firefox and Safari browsers through DNS rebinding attacks.
Affected Products:
Ray-project Ray – < 2.52.0
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter
Valid Accounts
Exploitation of Remote Services
Resource Hijacking
Account Manipulation
Impair Defenses
Ingress Tool Transfer
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Public-Facing Applications Protection
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Access Privileges
Control ID: 500.07
DORA – ICT Risk Management Framework
Control ID: Article 10
CISA ZTMM 2.0 – Workload Security and Segmentation
Control ID: Workload Pillar - Verify and Secure Workloads
NIS2 Directive – Vulnerability Handling and Disclosure
Control ID: Article 21(2)(f)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Ray cluster infrastructure widely used in ML/AI operations faces cryptomining botnet exploitation, requiring enhanced Kubernetes security and east-west traffic monitoring.
Computer Software/Engineering
Distributed computing frameworks vulnerable to ShadowRay attacks through unpatched code execution flaws, demanding improved segmentation and threat detection capabilities.
Financial Services
High-performance computing environments for trading and analytics exposed to cryptomining botnets, necessitating zero trust segmentation and compliance with regulatory frameworks.
Health Care / Life Sciences
Research computing clusters processing sensitive data vulnerable to lateral movement attacks, requiring HIPAA-compliant encryption and anomaly detection systems.
Sources
- New ShadowRay attacks convert Ray clusters into crypto minershttps://www.bleepingcomputer.com/news/security/new-shadowray-attacks-convert-ray-clusters-into-crypto-miners/Verified
- ShadowRay 2.0 Exploits Unpatched Ray Flaw to Build Self-Spreading GPU Cryptomining Botnethttps://thehackernews.com/2025/11/shadowray-20-exploits-unpatched-ray.htmlVerified
- Ray has arbitrary code execution via jobs submission API · CVE-2023-48022 · GitHub Advisory Database · GitHubhttps://github.com/advisories/GHSA-6wgj-66m2-xxp2Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, microsegmentation, network policy enforcement, threat detection, and container/network-specific controls would have substantially limited the attack progression by containing east-west propagation, enforcing least-privilege, and blocking malicious command-and-control traffic and cryptomining activity.
Control: Cloud Firewall (ACF)
Mitigation: Ingress filtering would have blocked exploitation attempts to the Ray cluster endpoints.
Control: Zero Trust Segmentation
Mitigation: Context-aware policies would limit privilege escalation by isolating workload access based on role.
Control: East-West Traffic Security
Mitigation: Lateral movement would have been detected or blocked between clusters or nodes.
Control: Inline IPS (Suricata)
Mitigation: Malicious C2 traffic signatures would be detected and/or blocked in real time.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound unauthorized traffic to mining pools is blocked.
Suspicious resource usage or anomalous workload behaviors are rapidly detected and remediated.
Impact at a Glance
Affected Business Functions
- AI Compute Operations
- Data Processing
- Research and Development
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive AI models, proprietary algorithms, and research data due to unauthorized access and code execution.
Recommended Actions
Key Takeaways & Next Steps
- • Audit and restrict inbound access to all cloud workloads, using cloud-native firewalls and strict network policies.
- • Enforce zero trust segmentation at the workload and namespace level, minimizing east-west movement and privilege inheritance.
- • Deploy inline IPS and threat detection to actively monitor and block C2, cryptomining, and anomalous east-west communications.
- • Implement robust egress controls and URL/domain allow-lists to prevent outbound communications to malicious mining pools.
- • Continuously monitor cloud resource utilization for anomalies and automate response procedures to contain and remediate threats.
