Pentera Flags Active Exploitation of Cloud Training Apps in Fortune 500 Environments

New updates have been reported about Pentera.

Pentera has released new research from Pentera Labs showing that intentionally vulnerable training applications in customer-managed cloud environments, including those used by Fortune 500 companies and major cybersecurity vendors, are being actively abused by attackers. The team identified thousands of exposed systems running popular demo and training tools such as OWASP Juice Shop, DVWA, and Hackazon on AWS, Azure, and GCP infrastructure owned by enterprises, with roughly 20% showing indicators of compromise, including crypto-mining. According to Pentera Labs, many of these environments were deployed with default settings, weak isolation, and overly broad cloud permissions, leaving them directly connected to live cloud identities and privileged roles.

Pentera’s analysis found evidence of webshells, obfuscated scripts, persistence mechanisms, and mining software on compromised hosts, indicating that adversaries are treating these “lab” systems as initial footholds into corporate cloud estates. From there, attackers could potentially move laterally across cloud resources, escalate privileges via misconfigured roles, tamper with CI/CD workloads, or interfere with software supply chain processes, creating material operational and financial risk for affected organizations. Senior Security Researcher Noam Yaffe noted that a single misconfigured training app was sufficient for attackers to obtain cloud credentials and deploy miners at an organization’s expense. Pentera Labs has notified affected organizations and published a detailed investigation, including methodology and evidence, underscoring the company’s role in helping enterprises identify and remediate real-world exposure as part of continuous threat exposure management and security validation strategies.