Exposed Training Opens the Door to Crypto-Mining in Fortune 500 Cloud Environments
Intentional vulnerability training applications are widely used in security education, internal testing, and product demonstrations. Tools like OWASP Juice Shop, DVWA, Hackazon, and bWAPP are designed to be insecure by default, making them useful for learning how common attack techniques work in controlled environments.
The problem is not the applications themselves, but how they are often deployed and stored in real-world cloud environments.
Pentera Labs examined how training and demo programs are used across cloud infrastructures and identified a persistent pattern: applications intended for isolated lab use were often found exposed on the public Internet, running within active cloud accounts, and connected to cloud ownership with wider access than necessary.
Posting Patterns Observed in Research
Petera Labs research found that these applications were often deployed with automated configurations, minimal isolation, and over-permissive cloud roles. The investigation found that many of these exposed training sites were directly linked to active cloud targeting and privileged roles, which enabled attackers to go beyond the vulnerable applications themselves and potentially into the customer’s broader cloud infrastructure.
In these cases, one exposed training application can serve as a starting point. Once attackers are able to use cloud identities linked to privileged roles, they are no longer tied to the actual application or host. Instead, they can gain the ability to communicate with other services within the same cloud environment, greatly increasing the scope and potential impact of compromise.
As part of the investigation, Pentera Labs confirmed approx 2,000 live, disclosed training application eventsnext to 60% hosted on customer-managed infrastructure using AWS, Azure, or GCP.
Evidence of Active Exploitation
The exposed training conditions identified during the study were not well prepared. Pentera Labs saw clear evidence that attackers were exploiting this vulnerability in the wild.
In the extensive dataset of training applications presented, approx 20% of incidents were found to contain artifacts used by malicious actorsincluding crypto-mining, webshells, and persistence methods. These artifacts indicated prior compromises and ongoing abuse of exposed systems.
The presence of active crypto-mining and the persistence of tools show that the training applications presented are not only available but already being used at scale.
Scope of Impact
The exposed and exploited areas identified during the research are not limited to small or isolated test systems. Pentera Labs has seen this usage pattern across related cloud environments Fortune 500 organizations and leading cybersecurity vendors, including Palo Alto, F5, and Cloudflare.
Although the individual locations varied, the basic pattern remained the same: a training or demo application deployed without sufficient isolation, left publicly accessible, and connected to a private cloud ownership.
Why This Matters
Training and demo situations are often treated as low-risk or temporary assets. As a result, they are often not included in standard security monitoring, access reviews, and lifecycle management processes. Over time, these areas can remain exposed long after their original purpose has passed.
Research shows that exploits do not require zero-day vulnerabilities or advanced attack techniques. Automated authentication, known vulnerabilities, and public exposure were enough to turn training applications into entry points for wider cloud access.
Labeling an area as “training” or “testing” does not reduce its risk. When exposed to the Internet and connected to a special cloud identity, these systems become part of an organization’s active attack surface.
Take a full look Pentera Labs Research blog & join the live webinar on Feb 12 to learn more about the methodology, discovery process, and real-world exploits seen during this research.
This article was written by Noam Yaffe, Senior Security Researcher at Pentera Labs. For questions or discussion, contact labs@pentera.io
