Research from Pentera Labs reveals evidence of active exploitation in customer-managed business cloud environments, particularly within Fortune 500 companies and cybersecurity vendors. This exploitation is targeting training applications utilized by said organizations. These are applications typically deployed for security demos and training, including OWASP Juice Shop, DVWA and Hackazon. 

The research discovered thousands of systems exposed, with several hosted on enterprise infrastructure using Azure, AWS and GCP cloud platforms. Of these exposed systems, around 20% were determined to “contain artifacts deployed by malicious actors.” 

Oftentimes, these applications were customer-deployed with minimal isolation, default configurations, and permissive cloud roles. The research further uncovered that several exposed training environments were directly linked to active cloud identities and privileged roles, which could allow malicious actors to move from the vulnerable applications into the customer’s cloud infrastructure. 

Moreover, within the compromised hosts, the research identified obfuscated scripts, webshells and persistence mechanisms — evidence of active exploitation. 

Nivedita Murthy, Associate Principal Security Consultant at Black Duck, advises, “Organizations should isolate which versions of these apps are being used and have them reviewed before providing them to their teams. Teams can keep a verified version of these apps internally and make it available to the user base instead of allowing the user to download directly from a legitimate site. They should also verify the vulnerabilities found are documented on the tool website and that they are not unknown. These tools should also be used in isolated networks or environments in order for the impact of any malicious activity to be restricted to balance out the need but also ensuring security is in place.”