Popular open-source AI framework under siege, critical flaw has no patch

Attackers are after a critical vulnerability in Ray, an open-source AI framework, leaving thousands of companies exposed to a flaw that allegedly has no patch.

It’s believed to be the first known attack campaign targeting AI workloads, according to a research team from Oligo Security.

“This vulnerability allows attackers to take over the companies' computing power and leak sensitive data. This flaw has been under active exploitation for the last 7 months, affecting sectors like education, cryptocurrency, biopharma, and more,” they noted.

The vulnerability was first spotted in late 2023 together with four other flaws. While the rest were patched, one of them remained disputed and many development teams remained unaware they should be concerned about it.

Oligo Security observed it being exploited in the wild, and said it was a so-called shadow vulnerability, meaning “doesn’t show up in static scans but can still lead to breaches and significant losses.”

Thousands of publicly exposed Ray servers have already been compromised, some of them for at least seven months. In many cases, hackers abused the flaw to install crypto mining software, as first reported by Forbes.

Ray is being used by OpenAI, Amazon, and Uber, among other companies, for its high level of scalability, speed, and efficiency. Here’s how Oligo explained its use cases:

“Models like GPT-4 comprise billions of parameters, requiring massive computational power. Such large models cannot possibly fit on the memory of a single machine. Ray is the enabling technology that allows these models to run. Ray quickly became a best practice in the industry – especially for AI practitioners, who are proficient in Python and often require models to run and distribute among multiple GPUs and machines.”

The compromised servers have been leaking a treasure trove of sensitive data. As per researchers, AI production workloads were compromised, meaning that “a trove of sensitive information has been leaked via the compromised servers. Let’s dive into the specific information we uncovered.” While the researchers didn’t specify the affected companies, they said that firms from “many industries” have been affected.

Researchers also saw evidence of production DB credentials, password hashes, private SSH keys, and OpenAI tokens, among other things, compromise. The latter could be used by attackers to gain access to OpenAI accounts.

Interestingly, the compromised GPU models are currently out of stock, hard to get, and incredibly expensive.

“The total amount of machines and compute power that might have been compromised can be estimated to be worth almost a billion USD, based on the clusters we observed in the last few weeks alone. Moreover, the first evidence of an attack that we have observed is from September 5th, which gave the attackers at least seven months to leverage the hardware,” Oligo said.

For more information on the attack and mitigation strategies, visit Oligo’s technical blog.

More from Cybernews:

BBC will stop using AI to promote Doctor Who after complaints

3 Body Problem review: great story, strong cast, but it’s Netflix

Qualcomm presents two new sound platforms

Stellantis mandated a remote work day to then lay off 400 employees

Stability AI keeps losing its masterminds

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked