high_confidence

ShadowRay

[ShadowRay](https://attack.mitre.org/campaigns/C0045) was a campaign that began in late 2023 targeting the education, cryptocurrency, biopharma, and other sectors through a vulnerability (CVE-2023-48022) in the Ray AI framework named ShadowRay. According to security researchers [ShadowRay](https://attack.mitre.org/campaigns/C0045) was the first known instance of AI workloads being activley exploited in the wild through vulnerabilities in AI infrastructure. CVE-2023-48022, which allows access to compute resources and sensitive data for exposed instances, remains unpatched and has been disputed by the vendor as they maintain that Ray is not intended for use outside of a strictly controlled network environment.(Citation: Oligo ShadowRay Campaign MAR 2024)

Start date

1 September 2023

End date

1 March 2024

Techniques

Attributed actors

Sandworm Team· primary

Techniques (10)

command-and-control1

T1105Ingress Tool Transfer

credential-access1

T1003.008/etc/passwd and /etc/shadow

discovery1

T1016System Network Configuration Discovery

execution1

T1059.006Python

impact1

T1496.001Compute Hijacking

initial-access1

T1190Exploit Public-Facing Application

persistence1

T1546.004Unix Shell Configuration Modification

privilege-escalation2

T1546.004Unix Shell Configuration Modification

T1068Exploitation for Privilege Escalation

resource-development1

T1588.002Tool

stealth1

T1027.013Encrypted/Encoded File

Indicators of compromise

No IOCs linked to this campaign yet.