Threat actors are actively taking advantage of poorly secured web applications designed for security training and internal penetration testing to infiltrate cloud infrastructures belonging to Fortune 500 firms and cybersecurity vendors. These applications include deliberately vulnerable platforms such as DVWA, OWASP Juice Shop, Hackazon, and bWAPP.
Research conducted by automated penetration testing firm Pentera reveals that attackers are using these exposed apps as entry points to compromise cloud systems. Once inside, adversaries have been observed deploying cryptocurrency miners, installing webshells, and moving laterally toward more sensitive assets.
Because these testing applications are intentionally insecure, exposing them to the public internet—especially when they run under highly privileged cloud accounts—creates significant security risks. Pentera identified 1,926 active vulnerable applications accessible online, many tied to excessive Identity and Access Management (IAM) permissions and hosted across AWS, Google Cloud Platform (GCP), and Microsoft Azure environments.
Pentera stated that the affected deployments belonged to several Fortune 500 organizations, including Cloudflare, F5, and Palo Alto Networks. The researchers disclosed their findings to the impacted companies, which have since remediated the issues. Analysis showed that many instances leaked cloud credentials, failed to implement least-privilege access controls, and more than half still relied on default login details—making them easy targets for attackers.
The exposed credentials could allow threat actors to fully access S3 buckets, Google Cloud Storage, and Azure Blob Storage, as well as read and write secrets, interact with container registries, and obtain administrative-level control over cloud environments. Pentera emphasized that these risks were already being exploited in real-world attacks.
"During the investigation, we discovered clear evidence that attackers are actively exploiting these exact attack vectors in the wild – deploying crypto miners, webshells, and persistence mechanisms on compromised systems," the researchers said.
Signs of compromise were confirmed when analysts examined multiple misconfigured applications. In some cases, they were able to establish shell access and analyze data to identify system ownership and attacker activity.
"Out of the 616 discovered DVWA instances, around 20% were found to contain artifacts deployed by malicious actors," Pentera says in the report.
The malicious activity largely involved the use of the XMRig mining tool, which silently mined Monero (XMR) in the background. Investigators also uncovered a persistence mechanism built around a script named ‘watchdog.sh’. When removed, the script could recreate itself from a base64-encoded backup and re-download XMRig from GitHub.
Additionally, the script retrieved encrypted tools from a Dropbox account using AES-256 encryption and terminated rival miners on infected systems. Other incidents involved a PHP-based webshell called ‘filemanager.php’, capable of file manipulation and remote command execution.
This webshell contained embedded authentication credentials and was configured with the Europe/Minsk (UTC+3) timezone, potentially offering insight into the attackers’ location.
Pentera noted that these malicious components were discovered only after Cloudflare, F5, and Palo Alto Networks had been notified and had already resolved the underlying exposures.
To reduce risk, Pentera advises organizations to keep an accurate inventory of all cloud assets—including test and training applications—and ensure they are isolated from production environments. The firm also recommends enforcing least-privilege IAM permissions, removing default credentials, and setting expiration policies for temporary cloud resources.
The full Pentera report outlines the investigation process in detail and documents the techniques and tools used to locate vulnerable applications, probe compromised systems, and identify affected organizations.
