Exposed Cloud Training Apps Used as Entry Points for Crypto-Mining Attacks
Event summary
- Pentera Labs found thousands of exposed cloud training applications used by Fortune 500 companies and cybersecurity vendors, with 20% showing signs of crypto-mining activity.
- Misconfigured training apps on AWS, Azure, and GCP were directly connected to active cloud identities and privileged roles.
- Attackers exploited these systems to obtain cloud credentials and deploy crypto-miners, potentially enabling broader cloud infrastructure access.
- Pentera Labs discovered webshells, obfuscated scripts, and persistence mechanisms on compromised hosts.
- The findings were disclosed to vulnerable organizations for remediation.
The big picture
The discovery highlights a critical gap in cloud security practices, where training applications—often deemed non-production—are left exposed with default configurations and permissive roles. This trend underscores the need for continuous security validation in enterprise cloud environments, as attackers increasingly target seemingly low-priority systems to gain access to broader infrastructure. The findings also emphasize the importance of isolating training environments to prevent lateral movement and privilege escalation.
What we're watching
- Remediation Progress
- How quickly affected organizations address the misconfigurations and potential breaches identified by Pentera Labs.
- Attack Surface Expansion
- Whether attackers will continue to exploit training applications as entry points for broader cloud infrastructure attacks.
- Security Validation Adoption
- The pace at which enterprises adopt continuous threat exposure management (CTEM) to prevent similar vulnerabilities.
Related topics