{“lastseen”:”2026-02-11T11:37:03″,”description”:”\\n\\nIntentionally vulnerable training applications are widely used for security education, internal testing, and product demonstrations. Tools such as OWASP Juice Shop, DVWA, Hackazon, and bWAPP are designed to be insecure by default, making them useful for learning how common attack techniques work in controlled environments.\\n\\nThe issue is not the applications themselves, but how they are often deployed and maintained in real-world cloud environments.\\n\\nPentera Labs examined how training and demo applications are being used across cloud infrastructures and identified a recurring pattern: applications intended for isolated lab use were frequently found exposed to the public internet, running inside active cloud accounts, and connected to cloud identities with broader access than required.\\n\\n### **Deployment Patterns Observed in the Research**\\n\\nPentera Labs research found that these applications were often deployed with default configurations, minimal isolation, and overly permissive cloud roles. The investigation uncovered that many of these exposed training environments were directly connected to active cloud identities and privileged roles, enabling attackers to move far beyond the vulnerable applications themselves and potentially into the customer\u2019s broader cloud infrastructure.\\n\\nIn these scenarios, a single exposed training application can act as an initial foothold. Once attackers are able to leverage connected cloud identities and privileged roles, they are no longer constrained to the original application or host. Instead, they may gain the ability to interact with other resources within the same cloud environment, significantly increasing the scope and potential impact of the compromise.\\n\\nAs part of the investigation, Pentera Labs verified nearly **2,000 live, exposed training application instances** , with close to **60% hosted on customer-managed infrastructure running on AWS, Azure, or GCP**.\\n\\n\\n\\n### **Evidence of Active Exploitation**\\n\\nThe exposed training environments identified during the research were not simply misconfigured. Pentera Labs observed clear evidence that attackers were actively exploiting this exposure in the wild.\\n\\nAcross the broader dataset of exposed training applications, approximately **20% of instances were found to contain artifacts deployed by malicious actors** , including crypto-mining activity, webshells, and persistence mechanisms. These artifacts indicated prior compromise and ongoing abuse of exposed systems.\\n\\nThe presence of active crypto-mining and persistence tooling demonstrates that exposed training applications are not only discoverable but are already being exploited at scale.\\n\\n### **Scope of Impact**\\n\\nThe exposed and exploited environments identified during the research were not limited to small or isolated test systems. Pentera Labs observed this deployment pattern across cloud environments associated with **Fortune 500 organizations and leading cybersecurity vendors,** including Palo Alto, F5, and Cloudflare.\\n\\nWhile individual environments varied, the underlying pattern remained consistent: a training or demo application deployed without sufficient isolation, left publicly accessible, and connected to privileged cloud identities.\\n\\n### **Why This Matters**\\n\\nTraining and demo environments are frequently treated as low-risk or temporary assets. As a result, they are often excluded from standard security monitoring, access reviews, and lifecycle management processes. Over time, these environments may remain exposed long after their original purpose has passed.\\n\\nThe research shows that exploitation does not require zero-day vulnerabilities or advanced attack techniques. Default credentials, known weaknesses, and public exposure were sufficient to turn training applications into an entry point for broader cloud access.\\n\\nLabeling an environment as \u201ctraining\u201d or \u201ctest\u201d does not reduce its risk. When exposed to the internet and connected to privileged cloud identities, these systems become part of the organization\u2019s effective attack surface.\\n\\nRefer to the full **Pentera Labs research blog** \\u0026 join a live webinar on Feb 12th to learn more about the methodology, discovery process, and real-world exploitation observed during this research. \\n\\n_This article was written by Noam Yaffe, Senior Security Researcher at Pentera Labs. For questions or discussion, contactlabs@pentera.io_\\n\\nFound this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\\n”,”published”:”2026-02-11T11:30:00″,”modified”:”2026-02-11T11:30:00″,”type”:”thn”,”title”:”Exposed Training Open the Door for Crypto-Mining in Fortune 500 Cloud Environments”,”source”:””,”references”:””,”id”:”THN:43ED63EC7D4F0C2EC9D699E3D589CC27″,”bulletinFamily”:”info”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/thehackernews.com\/2026\/02\/exposed-training-open-door-for-crypto.html”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-11T11:37:03″,”description”:”\\n\\nIntentionally vulnerable training applications are widely used for security education, internal testing, and product demonstrations. Tools such as OWASP Juice Shop, DVWA, Hackazon, and bWAPP…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,11,43,5],"class_list":["post-40377","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n