PromptRiskDBThreat intelligence atlas

ShadowRay - AI Case Study

AI Case Study

Ray is an open-source Python framework for scaling production AI workflows. Ray's Job API allows for arbitrary remote execution by design. However, it does not offer authentication, and the default configuration may expose the cluster to the internet. Researchers at Oligo discovered that Ray clusters have been actively exploited for at least seven months. Adversaries can use victim organization's compute power and...

Overview

Case steps7Steps described in the case record.
Techniques7Attack methods mentioned in the case steps.
Linked CVEs5Known vulnerabilities mentioned in the record.

Risk patterns

Patterns found in the case record and its linked vulnerabilities.

  • 1Dominant ATLAS tactic. Initial Access appears in 2 case steps.
  • 2Multiple attack methods. The case connects to 7 unique AI attack methods.
  • 3Vulnerability mentions. The record connects 5 vulnerability identifiers to this case.

Procedure timeline

Search the case steps or filter them by attacker goal.

Initial Access2Reconnaissance1Collection1Credential Access1Exfiltration1Impact1
  1. Reconnaissance

    Adversaries can scan for public IP addresses to identify those potentially hosting Ray dashboards. Ray dashboards, by default, run on all network interfaces, which can expose them to the public internet if no other protective mechanisms are in place on the system.

  2. Initial Access

    Once open Ray clusters have been identified, adversaries could use the Jobs API to invoke jobs onto accessible clusters. The Jobs API does not support any kind of authorization, so anyone with network access to the cluster can execute arbitrary code remotely.

  3. Collection

    Adversaries could collect AI artifacts including production models and data. The researchers observed running production workloads from several organizations from a variety of industries.

  4. Credential Access

    The attackers could collect unsecured credentials stored in the cluster. The researchers observed SSH keys, OpenAI tokens, HuggingFace tokens, Stripe tokens, cloud environment keys (AWS, GCP, Azure, Lambda Labs), Kubernetes secrets.

  5. Exfiltration

    AI artifacts, credentials, and other valuable information can be exfiltrated via cyber means. The researchers found evidence of reverse shells on vulnerable clusters. They can be used to maintain persistence, continue to run arbitrary code, and exfiltrate.

  6. Step 6

    Model

    Initial Access

    HuggingFace tokens could allow the adversary to replace the victim organization's models with malicious variants.

  7. Impact

    Adversaries can cause financial harm to the victim organization. Exfiltrated credentials could be used to deplete credits or drain accounts. The GPU cloud resources themselves are costly. The researchers found evidence of cryptocurrency miners on vulnerable Ray clusters.

Mitigations

Defenses connected to the attack methods in this case.

AI Model Distribution Methods

Deploying AI models to edge devices can increase the attack surface of the system. Consider serving models in the cloud to reduce the level of access the adversary has to the model. Also consider computing features in the cloud to prevent gray-box attacks, where an adversary has access to the model preprocessing methods.

Code Signing

Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing. Adversaries can embed malicious code in AI software or models. Developers should also cryptographically sign SBOM and AIBOM components that track model or data provenance. Enforcement of code signing can prevent the compromise of the AI supply chain and prevent execution of malicious code.

Showing 4 of 7

Source evidence

Original public records and references for this case.

Original source

Original source links

Open the MITRE ATLAS data and public references used for this case study.