Pentera Discovers Exposed Cloud Training Applications Actively Exploited with Crypto-Miners

Pentera Labs research uncovers evidence of active attacker activity within customer-managed enterprise cloud environments operated by Fortune 500 companies and leading cybersecurity vendors, including compromise and crypto-mining activity

Boston, Mass — January 21, 2026 — Pentera, the leader in AI-Powered Security Validation, has released new research from Pentera Labs revealing the active exploitation of training applications deployed within customer-managed cloud environments used by Fortune 500 organizations and major security vendors.

These applications, commonly used for security demos and hands-on training, include open-source projects such as OWASP Juice Shop, DVWA, and Hackazon. Pentera Labs identified thousands of exposed systems, many of which are hosted on enterprise-owned infrastructure running on AWS, Azure, and GCP cloud platforms. Approximately 20% of the exposed environments identified were found to contain artifacts consistent with unauthorized activity, including crypto-mining activity.

Pentera Labs research found that these applications were often deployed by customers with default configurations, minimal isolation, and overly permissive cloud roles. The investigation uncovered that many of these exposed training environments were directly connected to active cloud identities and privileged roles, potentially enabling attackers to move far beyond the intentionally-vulnerable apps themselves and potentially into the customer’s broader cloud infrastructure.

“One misconfigured training app was enough for attackers to obtain cloud credentials and deploy miners at an organization’s expense,” said Noam Yaffe, Senior Security Researcher at Pentera Labs and Team Lead of Pentera’s Offensive Security Services. “These systems may be labeled ‘non-production,’ but the access they expose is very real for thousands of organizations.”

Pentera Labs also discovered webshells, obfuscated scripts, and persistence mechanisms on compromised hosts, providing further evidence that adversaries are treating these publicly accessible “lab” systems as convenient footholds into enterprise cloud accounts. From this position, attackers could have expanded their access in several ways, including lateral movement across cloud resources, privilege escalation through over-permissive roles, tampering with CI/CD workloads, or inserting themselves into software supply chain processes. 

The complete investigation, including findings, methodology, and evidence of attacker activity, is available here.

The findings were initially discovered by Security Researcher Noam Yaffe. Pentera Labs has disclosed its findings to the known vulnerable organizations to ensure that they can eliminate these gaps.