Cybersecurity News and Headlines
  • All Technology
  • AI
  • Autonomy
  • B2B Growth
  • Big Data
  • BioTech
  • ClimateTech
  • Consumer Tech
  • Crypto
  • Cybersecurity
  • DevOps
  • Digital Marketing
  • Ecommerce
  • EdTech
  • Enterprise
  • FinTech
  • GovTech
  • Hardware
  • HealthTech
  • HRTech
  • LegalTech
  • Nanotech
  • PropTech
  • Quantum
  • Robotics
  • SaaS
  • SpaceTech
AllNewsDealsSocialBlogsVideosPodcastsDigests

Cybersecurity Pulse

EMAIL DIGESTS

Daily

Every morning

Weekly

Sunday recap

NewsDealsSocialBlogsVideosPodcasts
CybersecurityNewsExposed Training Open the Door for Crypto-Mining in Fortune 500 Cloud Environments
Exposed Training Open the Door for Crypto-Mining in Fortune 500 Cloud Environments
CybersecurityDefenseCrypto

Exposed Training Open the Door for Crypto-Mining in Fortune 500 Cloud Environments

•February 11, 2026
0
The Hacker News
The Hacker News•Feb 11, 2026

Companies Mentioned

Microsoft

Microsoft

MSFT

Google

Google

GOOG

Palo Alto Networks

Palo Alto Networks

PANW

F5 Networks

F5 Networks

Cloudflare

Cloudflare

NET

Amazon

Amazon

AMZN

Why It Matters

Exposed training apps dramatically enlarge the attack surface, enabling low‑effort crypto‑mining and privileged cloud compromise that can affect even the largest enterprises.

Key Takeaways

  • •2,000 training apps exposed, 60% on major clouds
  • •20% host crypto‑mining or web‑shell artifacts
  • •Permissive roles enable lateral cloud movement
  • •Fortune 500 and security vendors impacted
  • •"Test" label bypasses standard monitoring

Pulse Analysis

Intentionally vulnerable training tools such as OWASP Juice Shop and DVWA are invaluable for teaching security fundamentals, but their migration from isolated labs to production clouds is a growing blind spot. Organizations often spin up these applications with default configurations, attach them to existing cloud identities, and then forget to decommission or re‑secure them. The lack of network segmentation and overly broad IAM roles turns a harmless demo into a foothold that can be discovered by automated scanners scanning the public internet.

Pentera Labs’ research uncovered nearly 2,000 live instances of such misconfigured apps, with 20% showing clear signs of compromise—crypto‑mining binaries, web‑shells, and persistence mechanisms. Because many of these environments are linked to privileged cloud identities, attackers can quickly move laterally, accessing storage buckets, databases, or even orchestrating further attacks against critical workloads. The fact that Fortune 500 companies and leading security vendors like Palo Alto, F5 and Cloudflare are represented underscores that the issue is not limited to small‑scale operations but is a systemic risk across the enterprise cloud ecosystem.

Mitigating this threat requires treating training and demo environments as first‑class assets. Continuous asset discovery, strict IAM hygiene, and network isolation should be enforced from deployment through retirement. Automated scanning for exposed endpoints, coupled with regular access‑review cycles, can surface forgotten instances before they become lucrative mining farms. As cloud adoption deepens, organizations that embed zero‑trust principles and lifecycle management into their DevSecOps pipelines will reduce the likelihood that a simple training app becomes a gateway to a broader breach.

Exposed Training Open the Door for Crypto-Mining in Fortune 500 Cloud Environments

Exposed Training Open the Door for Crypto‑Mining in Fortune 500 Cloud Environments · Noam Yaffe, Senior Security Researcher at Pentera Labs · February 11 2026

Intentionally vulnerable training applications are widely used for security education, internal testing, and product demonstrations. Tools such as OWASP Juice Shop, DVWA, Hackazon, and bWAPP are designed to be insecure by default, making them useful for learning how common attack techniques work in controlled environments.

The issue is not the applications themselves, but how they are often deployed and maintained in real‑world cloud environments.

Pentera Labs examined how training and demo applications are being used across cloud infrastructures and identified a recurring pattern: applications intended for isolated lab use were frequently found exposed to the public internet, running inside active cloud accounts, and connected to cloud identities with broader access than required.

Deployment Patterns Observed in the Research

Pentera Labs found that these applications were often deployed with default configurations, minimal isolation, and overly permissive cloud roles. Many of these exposed training environments were directly connected to active cloud identities and privileged roles, enabling attackers to move far beyond the vulnerable applications themselves and potentially into the customer’s broader cloud infrastructure.

In these scenarios, a single exposed training application can act as an initial foothold. Once attackers leverage connected cloud identities and privileged roles, they are no longer constrained to the original application or host. Instead, they may gain the ability to interact with other resources within the same cloud environment, significantly increasing the scope and potential impact of the compromise.

As part of the investigation, Pentera Labs verified nearly 2,000 live, exposed training application instances, with close to 60 % hosted on customer‑managed infrastructure running on AWS, Azure, or GCP.

Evidence of Active Exploitation

The exposed training environments identified during the research were not simply misconfigured. Pentera Labs observed clear evidence that attackers were actively exploiting this exposure in the wild.

Across the broader dataset of exposed training applications, approximately 20 % of instances were found to contain artifacts deployed by malicious actors, including crypto‑mining activity, web‑shells, and persistence mechanisms. These artifacts indicated prior compromise and ongoing abuse of exposed systems.

The presence of active crypto‑mining and persistence tooling demonstrates that exposed training applications are not only discoverable but are already being exploited at scale.

Scope of Impact

The exposed and exploited environments identified during the research were not limited to small or isolated test systems. Pentera Labs observed this deployment pattern across cloud environments associated with Fortune 500 organizations and leading cybersecurity vendors, including Palo Alto, F5, and Cloudflare.

While individual environments varied, the underlying pattern remained consistent: a training or demo application deployed without sufficient isolation, left publicly accessible, and connected to privileged cloud identities.

Why This Matters

Training and demo environments are frequently treated as low‑risk or temporary assets. As a result, they are often excluded from standard security monitoring, access reviews, and lifecycle‑management processes. Over time, these environments may remain exposed long after their original purpose has passed.

The research shows that exploitation does not require zero‑day vulnerabilities or advanced attack techniques. Default credentials, known weaknesses, and public exposure were sufficient to turn training applications into an entry point for broader cloud access.

Labeling an environment as “training” or “test” does not reduce its risk. When exposed to the internet and connected to privileged cloud identities, these systems become part of the organization’s effective attack surface.

Full Pentera Labs research blog: https://go.pentera.io/pentera-labs-exposed-cloud-training-apps

Live webinar (Feb 12): https://go.pentera.io/pentera-labs-exposed-cloud-training-apps-webinar

For questions or discussion, contact [email protected]

Read Original Article
0

Comments

Want to join the conversation?

Loading comments...