C0045 ShadowRay
ShadowRay was a campaign that began in late 2023 targeting the education, cryptocurrency, biopharma, and other sectors through a vulnerability (CVE-2023-48022) in the Ray AI framework named ShadowRay. According to security researchers ShadowRay was the first known instance of AI workloads being activley exploited in the wild through vulnerabilities in AI infrastructure. CVE-2023-48022, which allows access to compute resources and sensitive data for exposed instances, remains unpatched and has been disputed by the vendor as they maintain that Ray is not intended for use outside of a strictly controlled network environment.
| Item |
Value |
| ID |
C0045 |
| Associated Names |
|
| First Seen |
September 2023 |
| Last Seen |
March 2024 |
| Version |
1.0 |
| Created |
02 December 2024 |
| Last Modified |
02 December 2024 |
| Navigation Layer |
View In ATT&CK® Navigator |
Techniques Used
| Domain |
ID |
Name |
Use |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.006 |
Python |
During ShadowRay, threat actors used the Python pty module to open reverse shells. |
| enterprise |
T1546 |
Event Triggered Execution |
- |
| enterprise |
T1546.004 |
Unix Shell Configuration Modification |
During ShadowRay, threat actors executed commands on interactive and reverse shells. |
| enterprise |
T1190 |
Exploit Public-Facing Application |
During ShadowRay, threat actors exploited CVE-2023-48022 on publicly exposed Ray servers to steal computing power and to expose sensitive data. |
| enterprise |
T1068 |
Exploitation for Privilege Escalation |
During ShadowRay, threat actors downloaded a privilege escalation payload to gain root access. |
| enterprise |
T1105 |
Ingress Tool Transfer |
During ShadowRay, threat actors downloaded and executed the XMRig miner on targeted hosts. |
| enterprise |
T1027 |
Obfuscated Files or Information |
- |
| enterprise |
T1027.013 |
Encrypted/Encoded File |
During ShadowRay, threat actors used Base64-encrypted Python code to evade detection. |
| enterprise |
T1588 |
Obtain Capabilities |
- |
| enterprise |
T1588.002 |
Tool |
During ShadowRay, threat actors used tools including the XMRig miner and Interactsh. |
| enterprise |
T1003 |
OS Credential Dumping |
- |
| enterprise |
T1003.008 |
/etc/passwd and /etc/shadow |
During ShadowRay, threat actors used cat /etc/shadow to steal password hashes. |
| enterprise |
T1496 |
Resource Hijacking |
- |
| enterprise |
T1496.001 |
Compute Hijacking |
During ShadowRay, threat actors leveraged graphics processing units (GPU) on compromised nodes for cryptocurrency mining. |
| enterprise |
T1016 |
System Network Configuration Discovery |
During ShadowRay, threat actors invoked DNS queries from targeted machines to identify their IP addresses. |
References