TZUTC: -0500   
   MSGID: 1728.consprcy@1:2320/105 2d8453b6   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Ray clusters hijacked and turned into crypto miners by shadowy new botnet   
      
   Date:   
   Wed, 19 Nov 2025 15:21:00 +0000   
      
   Description:   
   IronErn440 is using a known, unfixed flaw, to create a botnet and deploy the   
   XMRig cryptojacker.   
      
   FULL STORY   
      
   Ray clusters, still vulnerable to a critical severity flaw discovered years   
   ago, are being used for cryptocurrency mining, data exfiltration, and even   
   Distributed Denial of Service ( DDoS ) attacks, experts have warned.    
      
   Cybersecurity researchers Oligo claim this is the second major campaign to   
   leverage this same flaw.    
      
   Ray is an open source network that helps run Python programs faster by   
   decentralizing and distributing the work across multiple machines. Its   
   clusters are groups of computers - one head node and multiple worker nodes -   
   that work together to run Ray tasks and workloads in a distributed and   
   coordinated way.    
      
   Back in 2023, it was discovered that Ray 2.6.3 and 2.8.0 carried a   
   vulnerability that allowed a remote attacker to execute arbitrary code via    
   the job submission API. However Anyscale, the company behind the product, did   
   not fix it since it is designed to run in a strictly-controlled network   
   environment.    
      
   In other words - its up to the users to secure their infrastructure and make   
   sure the flaw does not get abused.    
      
   But abused, it was. First, between September 2023 and March 2024, and today.   
   Oligo says that threat actors tracked as IronErn440 are now using    
   AI-generated payloads to infiltrate vulnerable clusters. By leveraging the   
   bug, the attackers submit jobs to unauthenticated Jobs API, running   
   multi-stage Bash and Python payloads hosted on GitHub and GitLab.    
      
   These payloads deploy malware to the devices - usually the infamous XMRig   
   cryptojacker. While this cryptojacker is usually easily spotted (since it   
   takes up 100% of the devices processing power and renders it useless for   
   pretty much anything else), the attackers tried to work around this issue by   
   locking it to 60% of processing power.    
      
   Today, there are more than 230,000 Ray servers exposed to the internet, the   
   researchers warned, saying that their numbers grew significantly compared to   
   just a few thousand that were available when the vulnerability was first   
   discovered.    
      
    Via BleepingComputer    
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/ray-clusters-hijacked-and-turned-into-c   
   rypto-miners-by-shadowy-new-botnet   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426