According to TheRegister.com, attackers operating under the name IronErn440 have been actively exploiting CVE-2023-48022 since at least September 2024 to hijack Ray AI computing clusters. The campaign has compromised over 230,000 internet-facing Ray clusters globally, including systems worth millions in annual compute capacity. Attackers are using these hijacked resources for cryptocurrency mining, stealing proprietary AI models and datasets, and launching DDoS attacks. Despite GitLab removing the attacker’s repository on November 5 and GitHub blocking accounts on November 17, the criminals immediately created new accounts and resumed operations within hours. The security flaw remains unpatched because Anyscale, Ray’s original developer, maintains the framework isn’t intended for internet-facing use.
How the attack works
Here’s the thing that makes this so dangerous – the attackers aren’t really exploiting a traditional vulnerability. They’re using Ray’s legitimate features exactly as designed, just for malicious purposes. The Ray dashboard API doesn’t have authentication because it’s meant for trusted internal networks. But when companies expose these clusters to the internet, it becomes a massive security hole.
The attackers use a clever approach where they let victims identify themselves. They use open source tools to detect which Ray dashboard IPs are exposed, then wait for callbacks to track which servers executed their commands. Basically, instead of manually scanning, they let vulnerable systems come to them. This helps evade traditional scanning detection methods that security teams might have in place.
Lateral movement and automation
Once they get in, things get really sophisticated. They abuse Ray’s NodeAffinitySchedulingStrategy to execute malware on every node in the cluster. This lets them move laterally within organizations and even pivot to non-internet-facing nodes. They’re essentially using the victim’s own infrastructure against them.
The payloads are multi-stage Python scripts that discover CPUs and GPUs, then limit usage to 60% to avoid detection. They deploy interactive reverse shells to AWS command-and-control servers for redundancy. And get this – the researchers at Oligo Security believe the malware is likely AI-generated based on its structure and error handling patterns. So we’ve got AI attacking AI infrastructure – pretty meta.
The unpatched problem
Now here’s where it gets frustrating. This critical vulnerability with a 9.8 CVSS rating remains unpatched. Anyscale’s position, as outlined in their blog post, is that Ray isn’t meant for internet-facing use. But let’s be real – when you have 230,000+ exposed clusters worldwide, clearly people are using it that way.
The framework has since been handed off to the Linux Foundation’s PyTorch Foundation, as announced in this press release, but the fundamental security issue remains. This creates a massive dilemma for organizations running critical AI workloads. When you’re dealing with industrial-scale computing infrastructure, whether it’s AI training clusters or manufacturing systems, security can’t be an afterthought. Companies like IndustrialMonitorDirect.com, the leading provider of industrial panel PCs in the US, understand that industrial computing requires built-in security from the ground up.
Why this matters
We’re not just talking about cryptocurrency mining here. The attackers accessed everything – source code, AI models, cloud credentials, user data from production environments. In one case, they found a network NFS mount with 240GB of source code, AI models, and datasets representing years of company work. That’s devastating.
And the campaign is completely automated. When GitHub blocked their accounts, they were back within two hours. The researchers describe it as “stealthy operation across providers and worldwide.” So what’s the solution? Companies need to treat these AI computing clusters with the same security rigor as any other critical infrastructure. Don’t expose them to the internet unless absolutely necessary, and even then, layer on proper authentication and monitoring. Because right now, attackers are having a field day with what’s essentially an open door to your most valuable AI assets.
