Purposely flawed training apps are largely used for security education, product demonstrations, and internal testing. Tools like bWAPP, OWASP Juice Shop, and DVWA are built to be unsafe by default, making them useful to learn how common attack tactics work in controlled scenarios.
The problem is not the applications but how they are used in real-world cloud environments.
Penetra Labs studied how training and demo apps are being deployed throughout cloud infrastructures and found a recurring pattern: apps made for isolated lab use were mostly found revealed to the public internet, operating within active cloud profiles, and linked to cloud agents with larger access than needed.
Deployment Patterns analysis
Pentera Labs found that these apps were often used with default settings, extra permissive cloud roles, and minimal isolation. The research found that alot of these compromised training environments were linked to active cloud agents and escalated roles, allowing attackers to infiltrate the vulnerable apps themselves and also tap into the customer’s larger cloud infrastructure.
In the contexts, just one exposed training app can work as initial foothold. Once the threat actors are able to exploit linked cloud agents and escalated roles, they are accessible to the original host or application. But they can also interact with different resources in the same cloud environment, raising the scope and potential impact of the compromise.
As part of the investigation, Pentera Labs verified nearly 2,000 live, exposed training application instances, with close to 60% hosted on customer-managed infrastructure running on AWS, Azure, or GCP.
Proof of active exploitation
The investigation revealed that the exposed training environments weren’t just improperly set up. Pentera Labs found unmistakable proof that attackers were actively taking advantage of this vulnerability in the wild.
About 20% of cases in the larger dataset of training applications that were made public were discovered to have malicious actor-deployed artifacts, such as webshells, persistence mechanisms, and crypto-mining activity. These artifacts showed that exposed systems had already been compromised and were still being abused.
The existence of persistence tools and active crypto-mining indicates that exposed training programs are already being widely exploited in addition to being discoverable.
Read the original article: