Pentera Labs research uncovers evidence of active attacker activity within customer-managed enterprise cloud environments operated by Fortune 500 companies and leading cybersecurity vendors, including compromise andย crypto-mining activity
Pentera, the leader in AI-Powered Security Validation, has released new research from Pentera Labs revealing the active exploitation of training applications deployed within customer-managed cloud environments used by Fortune 500 organizations and major security vendors.
These applications, commonly used for security demos and hands-on training, include open-source projects such as OWASP Juice Shop, DVWA, and Hackazon. Pentera Labs identified thousands of exposed systems, many of which are hosted on enterprise-owned infrastructure running on AWS, Azure, and GCP cloud platforms. Approximately 20% of the exposed environments identified were found to contain artifacts consistent with unauthorized activity, includingย crypto-mining activity.
Pentera Labs research found that these applications were often deployed by customers with default configurations, minimal isolation, and overly permissive cloud roles. The investigation uncovered that many of these exposed training environments were directly connected to active cloud identities and privileged roles, potentially enabling attackers to move far beyond the intentionally-vulnerable apps themselves and potentially into the customer’s broader cloud infrastructure.
“One misconfigured training app was enough for attackers to obtain cloud credentials and deploy miners at an organization’s expense,”ย saidย Noam Yaffe, Senior Security Researcher at Pentera Labs and Team Lead of Pentera’s Offensive Security Services.ย “These systems may be labeled ‘non-production,’ but the access they expose is very real for thousands of organizations.”
Pentera Labs also discovered webshells, obfuscated scripts, and persistence mechanisms on compromised hosts, providing further evidence that adversaries are treating these publicly accessible “lab” systems as convenient footholds into enterprise cloud accounts. From this position, attackers could have expanded their access in several ways, including lateral movement across cloud resources, privilege escalation through over-permissive roles, tampering with CI/CD workloads, or inserting themselves into software supply chain processes.
Catch more CIO Insights:ย Identity is the New Perimeter: The Rise of ITDR
[To share your insights with us, please write toย psen@itechseries.com ]
