Evasive high-level hackers are actively exploiting an unpatched security flaw that affects many widely used AI systems, including ChatGPT, a cybersecurity firm said on Tuesday.
The vulnerability, dubbed “ShadowRay,” is an unpatched bug in the “Ray AI” framework used by companies like OpenAI, Amazon, Uber, Netflix, and others. According to cybersecurity firm Oligo, threat actors have been actively exploiting this vulnerability since September 2023.
ShadowRay can allow hackers to access sensitive data and computational resources on servers, potentially manipulating AI operations, stealing intellectual property, and using computational power for cryptocurrency mining.
This is “the first known instance of AI workloads actively being exploited in the wild through vulnerabilities in modern AI infrastructure,” Oligo said.
AI Infrastructure Is a ‘Goldmine for Attackers’
Ray is an open-source AI framework used by thousands of companies worldwide in “sectors like education, cryptocurrency, biopharma, and more,” Oligo said.
“Many of the [compromised] machines included command history, making it much easier for attackers to understand what resides on the current machine and possibly leaking sensitive secrets from production that were used in previous commands,” the company revealed in its blog post.
“Due to the disputes surrounding whether it constituted a vulnerability, ShadowRay (CVE-2023-48022) did not appear in several databases. This created a blind spot: security teams around the world had no idea that they could be at risk.”
AI infrastructure is a top target for cybercriminals as they hold a wealth of sensitive data and computational capabilities. AI environments often contain proprietary datasets and models — intellectual properties that differentiate companies in the competitive market. Moreover, these environments are linked to third-party services and company databases, making them a focal point for unscrupulous actors.
While Oligo has not identified the attackers, it said they are likely part of an organized hacking group since their methods include advanced evasion tactics. “The total amount of machines and compute power that might have been compromised can be estimated to be worth almost a billion USD, based on the clusters we observed in the last few weeks alone,” the report said.
Anyscale Tooling Available, Oligo’s Urgent Security Recommendations
Anyscale, the company behind the Ray AI framework, has provided new tooling to help users verify the proper configuration of their Ray clusters and prevent accidental exposure.
Oligo has also put forth urgent recommendations for organizations using Ray and similar AI frameworks. Among other things, Oligo recommends:
- Regularly updating AI frameworks like Ray and ensuring all components are patched to the latest versions.
- Implementing strict access controls and network security measures to safeguard AI systems from unauthorized access.
- Conducting immediate security audits to detect any vulnerabilities.
- Following best practices for securing Ray.
Adding to that, we recommend organizations:
- Isolate critical AI workloads in dedicated environments to minimize risk and control access to sensitive infrastructure.
- Regularly assess security and conduct penetration testing to proactively identify and address vulnerabilities.
- Develop and regularly update incident response plans with specific procedures for AI environment breaches.
We also urge users to be cautious of unsolicited requests and suspicious activities that could indicate a security breach and report them to IT or security teams immediately. Despite advancements in AI technologies, security concerns persist.
“Employees must be diligent in not allowing any sensitive, proprietary, confidential, or personal data to be entered into ChatGPT,” Dan Lohrmann, CISO and Field Chief Information Security Officer at Presidio, told VPNOverview in 2023 after the launch of OpenAI’s ChatGPT.
Refer to our guide to the privacy risks of AI chatbots for tips on how to use AI systems securely.
For more news, follow us on X (Twitter), Threads, and Mastodon!
