Thousands Of Companies Face AI Infrastructure Vulnerability

April 15, 2024

Thousands Of Companies Face AI Infrastructure Vulnerability

The presence of an AI infrastructure vulnerability poses a significant risk, attracting malicious actors seeking to exploit sensitive data. Researchers, as cited in The Record, emphasize the susceptibility of AI-driven companies due to this singular vulnerability. Particularly alarming is the exploitation of a disputed vulnerability within the widely used open-source AI framework, Ray, employed by tech giants like Uber, Amazon, and OpenAI.

In 2023, the Security firm Oligo found that thousands of publicly exposed Ray servers worldwide were compromised due to the vulnerability, which they call ShadowRay. It wasn’t considered a serious risk initially and was not promptly fixed. 

The National Vulnerability Database says ShadowRay lets an attacker execute arbitrary code via an interface provided by a framework to submit computational tasks for execution. Attackers exploited it to take control of companies’ computing power and leak sensitive data. Many medical companies, video analytics firms, and educational institutions have been compromised.

Ray’s developer, Anyscale, disputes the flaw report’s relevance, claiming that Ray “is not intended for use outside of a strictly controlled network environment.” It calls the bug a deliberate design decision. Oligo Security refers to it as a “shadow vulnerability” because security teams “had no idea that they could be at risk.”

The researchers say that ShadowRay is “the first known instance of AI workloads actively being exploited in the wild through vulnerabilities in modern AI infrastructure.” Oligo Security estimates the total value of compromised machines and compute power at nearly a billion dollars. The hacker group exploiting the AI infrastructure vulnerability hasn’t been identified.

Critical intelligence for general counsel

Stay on top of the latest news, solutions and best practices by reading Daily Updates from Today's General Counsel.

Daily Updates

Sign up for our free daily newsletter for the latest news and business legal developments.

Scroll to Top