Lessons Learned from the “ShadowRay” Campaign – The First Known Attack Targeting AI Workloads

On March 26, 2024, researchers at Oligo, an application security firm, disclosed that they discovered an active attack campaign targeting a vulnerability in Ray, a widely used open-source artificial intelligence (AI) framework. Ray is a unified framework for scaling AI and Python applications for a variety of different use cases, such as enabling distributed workloads for training, serving, and tuning AI models or optimizing performance. The attack campaign, dubbed “ShadowRay,” is reportedly the first attack campaign observed in the wild that targets AI workloads, which comprise a set of computational tasks related to training, deploying, and running AI models and algorithms. This incident has allowed attackers to steal credentials, remotely control servers, and corrupt AI models.

Not only does Oligo’s discovery show how security vulnerabilities can be exploited within AI workloads, but it also highlights how threat actors are actively looking for ways to exploit AI. To strengthen our cyber resilience in response, defenders must take advantage of AI’s current cybersecurity applications and be prepared to harness its full potential in future applications. The ShadowRay campaign also marks the realization of numerous anticipated AI security risks and reinforces three key lessons for navigating the ever-evolving AI and cybersecurity landscape.

1. Cybersecurity must be prioritized throughout the AI lifecycle.

The ShadowRay incident underscores the importance of proactively embedding comprehensive, traditional cybersecurity measures throughout the AI lifecycle. By exploiting the CVE-2023-48022 vulnerability, attackers showcased the ability to tamper with AI models and illicitly access sensitive data, bypassing the need for authentication. This vulnerability exploitation can also compromise the integrity of the AI system during the critical training and deployment phases, bringing to life some of the anticipatory concerns that researchers have long raised about the security vulnerabilities that AI has the potential to introduce and amplify. In this way, ShadowRay also demonstrates the importance of being prepared to defend against both conventional and emerging security risks within AI infrastructures.

2. Cybersecurity is a shared responsibility.

The widespread use of Ray by thousands of companies, including Amazon, Microsoft Azure, Spotify, LinkedIn, Uber, and OpenAI, shows how AI systems are inherently interconnected and thus, how cybersecurity is a shared responsibility. Ray’s universality means that vulnerabilities found and exploited in the Ray cluster can also expose all its users and associated platforms to potential breaches. This interconnectedness means that one organization or individual’s security practices (or lack thereof) can have far-reaching implications.

In other words, the ShadowRay campaign serves as a poignant reminder that everyone has a role to play in bolstering our collective cybersecurity defenses. Practicing good cyber hygiene, such as using a password manager and implementing timely patch management, are simple tasks that everyone can and should do. Users should also regularly follow best practices and guidance issued by developers, especially after incidents like ShadowRay occur. By embracing a collective approach to cybersecurity, where everyone and every organization is actively engaged in the application of robust cybersecurity practices, we can enhance the resiliency of our AI systems against both existing and emerging security threats.  

3. Information sharing and collaboration remain essential to building cyber resilience.

The ShadowRay campaign highlights the critical importance of information sharing and collaboration in building cyber resilience. In November 2023, the discovery of five Ray vulnerabilities prompted Ray developer, Anyscale, to release a blog post with guidance for users and fixes for the identified vulnerabilities. This open communication enabled Oligo researchers to identify an active attack targeting CVE-2023-48022, which lacked a patch at the time due to continued disputes among developers over its potential risk.

This series of events emphasizes the necessity of information sharing and collaboration across all levels of the cybersecurity ecosystem and the effective incident response that can result from such partnerships. However, the disputes over the extent of the risk posed by the vulnerability and whether Anyscale should have enforced authentication before the ShadowRay incident also shed light on the challenges of reaching consensus on security priorities, as well as the importance of continuous learning and readiness to adapt strategies in response to new insights or threats. Because AI experts are often not security experts, collaboration between experts on both sides is imperative.

___________

As we navigate the constantly shifting terrain of cybersecurity and emerging technologies—where definitive answers are rare—our strength lies in our ability to learn from each incident, foster constructive debates on best practices and solutions, and embrace an agile, multistakeholder approach. Not only does this strategy protect our current digital ecosystem, but it also equips us to develop forward-thinking solutions that can help us maintain an edge over potential security threats.