On March 27, 2024, application security firm Oligo publicly disclosed a widespread campaign dubbed ShadowRay, in which attackers systematically exploited a missing authentication vulnerability in the Ray AI framework to compromise hundreds of compute clusters worldwide. The campaign, active since at least September 2023, represents the first known instance of AI workloads being actively exploited in the wild through vulnerabilities in modern AI infrastructure. For the cryptocurrency and Web3 sector, where AI-driven trading, analytics, and infrastructure monitoring are increasingly common, the implications demand immediate attention.
The Threat Landscape
The vulnerability, tracked as CVE-2023-48022, carries a CVSS score of 9.8 out of 10. It exists because the open-source Ray compute framework does not enforce authentication in its default configuration and does not support any authorization model. Ray, maintained by Anyscale, is widely used to scale compute-intensive AI workloads and has been used to train models at organizations including OpenAI, Amazon, Shopify, and LinkedIn. With Bitcoin hovering around $69,455 and the broader crypto market capitalization exceeding $2.6 trillion, the economic incentive for attackers to compromise AI-powered crypto infrastructure has never been greater.
The ShadowRay campaign exploited Ray’s job submission API, allowing anyone with dashboard network access to submit arbitrary system commands without credentials. Attackers used this access to deploy cryptominers including XMRig, NBMiner, and Java-based Zephyr miners on compromised clusters. They also exfiltrated database credentials, SSH keys, OpenAI and HuggingFace API tokens, and Stripe payment keys. Many clusters ran with root privileges, giving attackers unfettered access to sensitive cloud services and customer data.
What makes this vulnerability particularly insidious is that Anyscale disputes it. The company classifies the lack of authentication as an intentional design decision, arguing that users are responsible for enforcing security outside the cluster. This dispute means CVE-2023-48022 has no patch, does not appear in many vulnerability scanners, and is invisible to standard security tools like static application security testing and software composition analysis.
Core Principles
Securing AI infrastructure against missing authentication vulnerabilities requires a defense-in-depth approach built on several core principles. First, assume that any network-accessible service without authentication will eventually be discovered and exploited. The ShadowRay attackers began their campaign in September 2023, two months before CVE-2023-48022 was publicly disclosed in November. Attackers routinely scan the internet for exposed services, and the absence of authentication is a beacon.
Second, never rely solely on vendor classification of vulnerabilities. Anyscale may consider the missing authentication a feature, but the hundreds of compromised clusters demonstrate that in practice, it functions as a critical vulnerability. Organizations must conduct their own threat modeling rather than outsourcing risk assessment entirely to software maintainers.
Third, implement network segmentation as a non-negotiable baseline. AI compute clusters should never be directly exposed to the public internet. They should reside in isolated network segments accessible only through authenticated VPN connections, bastion hosts, or zero-trust network access solutions.
Tooling and Setup
Organizations running AI workloads should implement the following security stack immediately. Deploy network firewalls that explicitly block inbound access to Ray dashboard ports from all external IP addresses. Use Kubernetes network policies if running Ray in containerized environments, restricting pod-to-pod communication to only what is necessary. Enable audit logging for all API calls to Ray clusters, and forward those logs to a security information and event management system for real-time alerting on suspicious activity.
For teams running crypto-focused AI workloads such as algorithmic trading bots or on-chain analytics engines, the stakes are even higher. Compromised clusters can leak proprietary trading strategies, API keys to exchanges, and wallet private keys. Implement secret management solutions like HashiCorp Vault or AWS Secrets Manager to handle credentials, and ensure that AI workloads never have direct access to high-value keys.
Anyscale released a client-side verification script following the Oligo disclosure, which can help identify Ray deployments with potentially exposed ports. However, the tooling is not guaranteed to find all exposed instances, so manual verification remains essential.
Ongoing Vigilance
Security is not a one-time setup but a continuous process. Regularly audit all AI infrastructure for exposed services, outdated dependencies, and misconfigured access controls. Monitor cryptocurrency mining activity on your clusters as a sign of compromise. The ShadowRay attackers installed XMRig miners, which consume CPU and GPU resources and can be detected through abnormal resource utilization patterns.
Implement runtime security monitoring using tools like Falco or Tetragon to detect unexpected process execution, network connections, and file access within your cluster environments. These tools can alert on the exact behaviors exhibited during the ShadowRay campaign, such as the execution of shell commands from the Ray job submission API or outbound connections to known mining pools.
Stay informed about vulnerabilities in the AI tools and frameworks your organization uses. Subscribe to security advisory feeds from Anyscale, NVIDIA, and other AI infrastructure providers. Participate in community security discussions, and consider contributing vulnerability reports when you discover issues in open-source tools.
Final Takeaway
The ShadowRay campaign demonstrates that AI infrastructure is now a primary target for cyberattacks. The combination of high-value data, significant compute resources, and historically lax security practices makes AI clusters an attractive target for both data theft and cryptomining. As AI becomes increasingly embedded in cryptocurrency and Web3 workflows, securing the underlying infrastructure is not optional. The tools and practices needed are well-established. What has been lacking is the recognition that AI infrastructure demands the same security rigor applied to financial systems and production databases. The ShadowRay disclosure should serve as a definitive wake-up call.
Disclaimer: This article is for informational purposes only and does not constitute professional security advice. Organizations should consult qualified cybersecurity professionals for tailored security assessments.
Seeing Ray used by big names like Shopify and LinkedIn makes this even more concerning. AI is moving so fast that security sometimes feels like an afterthought. We need more transparency from Anyscale on why they think this isn’t a vulnerability.
Ray being used by OpenAI and Amazon makes this CVE-2023-48022 massive. If Anyscale isn’t patching it, they are leaving the door wide open for more cryptominers. We’ve already seen XMRig and NBMiner on our test clusters. It’s time to rethink our AI infrastructure security.
A CVSS 9.8 for the Ray framework is insane. The fact that Anyscale is disputing the vulnerability while active cryptominers are being deployed is a huge red flag. OpenAI and Amazon users should be checking their clusters immediately for XMRig or NBMiner.
CVE-2023-48022 has been active since September? That’s a long time to have a vulnerability this critical wide open. Using AI frameworks often means sacrificing some security for performance, but this is a bridge too far. Stay safe out there, devs.
Stolen SSH keys and API tokens are the worst-case scenario. This ShadowRay campaign shows that AI infrastructure is the new gold mine for attackers. If there’s no patch, we need to be looking at serious network isolation for these Ray clusters.