Hackers Breached Hundreds Of Companies’ AI Servers, Researchers Say

Hackers may have breached hundreds of companies by targeting an open source software called Ray that is used to scale AI models, cybersecurity researchers have warned.

It is believed to be the first example of cyberattacks exploiting AI computing vulnerabilities found in the wild and researchers say that there is evidence it has been used to attack at least three “very well-known, large organisations” and dozens of smaller ones.

In many cases, the hackers used the exploit to install cryptocurrency miners on exposed servers, diverting the processing power used to train AI to churn out digital coins instead, according to Israeli cyber startup Oligo Security which discovered the attacks. In other cases, vulnerable servers leaked so-called access “tokens” that could have allowed an attacker to breach various AI and business applications, including OpenAI and Slack. Because some companies were incorporating the ability to process financial transactions into their AI apps, tokens for the Stripe payments service may have been accessed. It’s unclear if hackers used those tokens to steal any money. OpenAI and Stripe did not respond to requests for comment.

Dolleen Cross, spokesperson for Slack, said it was “an unfortunate incident and we feel for any customers that were impacted.” She noted the vulnerability isn’t “inherent to the Slack platform.”

“They’re attacking that infrastructure of AI, they’re leveraging it to make a lot of money…”

Gal Elbaz, CTO of Oligo Security

The researchers declined to name the hacked entities, but told Forbes that the three largest are household names and may have had “thousands of compromised machines.” One was doing pharmaceutical research, another was an American college, Oligo cofounder and chief technology officer Gal Elbaz told Forbes. The researchers reported the exploit to all of them.

“This is an active campaign right now,” said Elbaz. “They’re attacking that infrastructure of AI, they’re leveraging it to make a lot of money.”

Ray is used by some of the world’s biggest tech businesses, including Amazon, Uber and Intel, to run compute-heavy AI workloads. It’s a framework that makes it easy to spin up AI projects across distributed servers. Typically, a company will use Ray to train AI models and then deploy them in their applications. But a large number of users mistakenly left servers running Ray exposed on the internet via an application programming interface (API) that does not require a key or password and permits outsiders to run code on the systems. This made it easy for malicious hackers to find the open servers and install crypto miners and malware.

In late 2023, different groups of researchers warned Anyscale, the company that oversees Ray’s development, that the ability to run code remotely via the API without the need for a password or key was a vulnerability. But Anyscale disputed that, arguing it was a feature because distributed workloads need to allow one server to run code on another.

Since Oligo disclosed the attacks, Anyscale has started designing a new feature that will warn users if they have configured their Ray systems so they’re accessible on the open internet. Anyscale spokesperson Anna von Schmeling said it was “the user’s responsibility” to configure Ray safely, pointing to its guidelines, which “strongly advises against exposing Ray clusters to untrusted network traffic.”

“Some of the impacted machines have been compromised for more than a year.”

Gal Elbaz, CTO of Oligo Security

Oligo researchers have evidence hackers were exploiting the open servers long before anyone had warned Anyscale. “Some of the impacted machines have been compromised for more than a year,” the company wrote in a report provided to Forbes ahead of publication.

Over the last year, security experts have fretted about attackers accessing AI workloads and altering models to have them carry out unintended, malicious actions, but these attacks show that the risk isn’t theoretical. “They already did it… it’s happening,” Elbaz said.

Because distributed AI workloads require hundreds or thousands of processors to run, a single attack can result in the compromise of multiple machines, the researchers told Forbes. “If attackers reach these clusters, they can do a lot of damage,” added Guy Kaplan, director of research at Oligo.

Berenice Flores, Bishop Fox senior security consultant, was one of the researchers who last year warned Anyscale about the vulnerability, alongside four others, which were subsequently patched. She said it was “disappointing” that Anyscale disputed the vulnerability. Marcello Salvati, a researcher at Protect AI, which also disclosed the vulnerabilities last year, told Forbes he was hopeful Anyscale would “reconsider their stance on the underlying issue of shipping something with insecure defaults.”

“Given how large the user base is, simply deploying basic API security patterns would go a long way in protecting their users,” Salvati’s colleague Dan McInerney added.


MORE FROM FORBESArmed With ChatGPT, Cybercriminals Build Malware And Plot Fake Girl BotsMORE FROM FORBESMeta Unmasks Hundreds Of AI Spies On Facebook And Instagram Made By Italian Surveillance DealersMORE FROM FORBESThis AI Watches Millions Of Cars Daily And Tells Cops If You’re Driving Like A CriminalMORE FROM FORBESFraudsters Cloned Company Director’s Voice In $35 Million Heist, Police Find

Read More:Hackers Breached Hundreds Of Companies’ AI Servers, Researchers Say

2024-03-26 10:30:00

aiAnyscaleBishop FoxbreachedCompaniescyberHackershundredsOligo SecurityProtect AIrayResearchersSecurityServersvulnerability
Comments (0)
Add Comment