Hackers have targeted an open source software called Ray to breach hundreds of companies, potentially the first cyberattacks exploiting AI vulnerabilities in the wild. The attacks were discovered by Israeli cyber startup Oligo Security, who found evidence of hackers installing cryptocurrency miners on exposed servers to divert processing power used to train AI models for mining digital coins. Vulnerable servers also leaked access tokens that could have allowed attackers to breach various AI and business applications, including OpenAI and Slack. Some companies incorporating financial transactions into AI apps may have had Stripe payment service tokens accessed.
The three largest entities attacked are household names, with potentially thousands of compromised machines. One was conducting pharmaceutical research, another was an American college. Oligo reported the exploit to all of them. The attackers are actively leveraging AI infrastructure to make money, targeting servers running Ray that were left exposed on the internet through an API that does not require a key or password. Some of the impacted machines have been compromised for over a year, indicating that the attacks have been ongoing for some time.
Ray is used by major tech companies like Amazon, Uber, and Intel to run compute-heavy AI workloads across distributed servers. Anyscale oversees Ray’s development and has started designing a new feature to warn users if their Ray systems are accessible on the open internet. Oligo researchers have evidence that hackers were exploiting open servers before any warnings were issued. Security experts have expressed concerns about attackers altering AI models for malicious purposes. The risk is no longer theoretical, as these attacks have shown that they are actively happening.
Security researchers warned Anyscale about the vulnerability in late 2023, but the company disputed it, claiming it was a feature necessary for distributed workloads. Researchers hope Anyscale will reconsider their stance and implement basic API security patterns to better protect users. Proper configuration of Ray systems is the user’s responsibility, according to Anyscale, who advise against exposing Ray clusters to untrusted network traffic. The attacks have raised concerns about the security of AI workloads and the potential for attackers to compromise multiple machines if they reach distributed clusters. This highlights the importance of implementing robust security measures to safeguard against potential cyber threats.
