https://pentera.io/blog/exposed-cloud-training-apps-pentera-labs/
Cybercriminals are targeting intentionally vulnerable web applications that organisations use for security training and penetration testing, gaining unauthorised access to cloud environments belonging to Fortune 500 companies and major security vendors. Research conducted by automated penetration testing firm Pentera has uncovered that threat actors are exploiting applications such as DVWA, OWASP Juice Shop, Hackazon, and bWAPP to infiltrate corporate systems, where they deploy cryptocurrency miners, install webshells, and establish footholds for further network compromise.
The investigation identified nearly 2,000 vulnerable applications exposed on the public internet, many of which were connected to overly privileged cloud service accounts on platforms including AWS, GCP, and Azure. Among the affected organisations were prominent technology firms such as Cloudflare, F5, and Palo Alto Networks, all of which were notified by researchers and have since remediated the issues. The exposed systems frequently retained default credentials and violated least-privilege security principles, creating pathways for attackers to access critical cloud infrastructure including S3 buckets, container registries, and secrets management systems.
Pentera confirmed that these vulnerabilities are being actively exploited in real-world attacks rather than representing merely theoretical risks. The security firm discovered evidence of ongoing cryptomining operations utilising compromised AWS accounts gained through these misconfigured testing applications. These findings represent a significant, and often overlooked, blind spot in cloud security, where training and demonstration environments deployed in production cloud infrastructure receive inadequate security oversight despite their connectivity to sensitive corporate resources and privileged service credentials.