Vulnerable training and demo applications exposed to the public internet are being actively exploited and used as entry points for full cloud account compromise at major enterprises, including Fortune 500 companies.

That’s according to a new report out today from Pentera Labs, the research arm of Pentera Security Ltd. The report, When the Lab Door Stays Open, details how intentionally vulnerable applications, including the OWASP Juice Shop, Damn Vulnerable Web Application and Hackazon, are frequently deployed for internal testing, product demonstrations and security education — but are often left running in production cloud environments with minimal safeguards.

According to Pentera Labs, the exposed applications are rarely treated as real infrastructure despite running on the same cloud platforms as production workloads. The apps were found to be accessible with default credentials or trivial exploits that enabled remote code execution.

Because the training and demo apps share the same cloud platform, once an attacker was able to compromise one, it opened the door to far more. That includes the ability to query cloud metadata services and extract temporary credentials tied to identity and access management roles, including administrator-level permissions.

As a direct result, attackers gain a direct path from a low-priority lab environment to an organization’s most sensitive cloud assets.

The problem is not a particularly small one, either, with the Pentera Labs researchers finding 1,926 verified, internet-exposed vulnerable applications after scanning more than 10,000 candidates across platforms such as Shodan and Censys. Nearly 60% of the verified instances were hosted on major cloud providers, including Amazon Web Services Inc., Google Cloud Platform and Microsoft Azure.

The researchers were able to find 109 unique credential sets associated with the instances, including many that granted broad permissions, including access to object storage, secrets managers, container registries and the ability to create or destroy cloud resources.

Moreover, many of the vulnerable apps are under active exploitation. About 20% of exposed instances contained artifacts typically deployed by attackers, such as cryptocurrency miners, PHP web shells and sophisticated persistence mechanisms designed to survive cleanup attempts.

The report also details multiple responsibly disclosed case studies involving major technology and security vendors, where a single exposed training application could have enabled wide-ranging access to cloud resources. The affected organizations were contacted before the report was published and the issues were remediated, but Pentera Labs says the underlying pattern is systemic rather than isolated.

The researchers conclude by explaining that most of the risks identified are preventable through basic security hygiene, including maintaining a complete asset inventory, enforcing least-privilege access, isolating nonproduction environments, disabling default credentials and implementing lifecycle management for temporary resources.

It’s also noted that just because an environment is set up for training or testing, it does not reduce its attractiveness to attackers. The researchers warning that if it’s internet-facing and connected to cloud credentials, it should be treated as a first-class security concern.

Image: SiliconANGLE/Ideogram