Security Operations, SOC, Cloud Security, Application security, Patch/Configuration Management

Hundreds of vulnerable test environments exposed, targeted by crypto miners

Researchers discovered nearly 1,000 cloud environments vulnerable to exploitation due to misconfigurations exposing security testing applications to the internet, Pentera reported Wednesday.

The Pentera Labs team initially discovered a web-exposed instance of Hackazon during a cloud security assessment for a client. Hackazon is an intentionally vulnerable application meant for internal security testing and training.

Following this discovery, the team began to scan the web for more exposed instances of Hackazon and similar testing apps such as OWASP Juice Shop, Damn Vulnerable Web Application (DVWA) and Buggy Web Application (bWAPP).

Using tools like Censys and Shodan, the researchers uncovered 1,926 live, vulnerable applications, 974 of which ran on enterprise-owned cloud infrastructure hosted by major providers including Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP).

Vulnerable test environments grant access to privileged credentials

The researchers developed a Python tool to automate exploitation of the known remote code execution (RCE) vulnerabilities in these applications in order to query cloud metadata services, retrieve cloud identity names and temporary credentials, extract machine environment variables and detect any evidence of previous exploitation by attackers in the wild.


Related reading:


This process uncovered 109 sets of credentials with unique identity or role names, many of which had greater privileges and access than necessary for the application’s purpose. The researchers also found active secrets such as GitHub tokens and Slack keys, proprietary source code and data from real users exposed through several of the vulnerable environments.

Exposed identities included those attached to cloud resources owned by Cloudflare, F5 and Palo Alto Networks, which were reported and resolved by the companies without any access to sensitive data or evidence of compromise.

Cryptojacking, webshell found on exposed instances

Of the 616 total DVWA instances examined, about 20% revealed artifacts of previous exploitation by real threat actors, with the XMRig cryptocurrency miner being one of the payloads found in compromised environments.

Researchers also found a persistence script called watchdog.sh being used in conjunction with cryptojacking operations, which automatically recovers XMRig if it is removed and runs dual processes to recover itself if one of its processes fails.

Another payload found during the investigation was a PHP webshell called filemanager.php, which provided attackers with full filesystem access and command execution abilities. The evidence of these real attacks demonstrates the risks of both cloud resource hijacking and data security that exposed vulnerable testing apps can pose to organizations, Pentera said.

The researchers noted that about 54% of the DVWA instances observed used the default username “admin” and default password “password” for login, granting admin access to the app and making it even easier to achieve RCE by lowering the security settings.

Pentera made their framework for discovering these vulnerable test apps, called SigInt, open source, which could help organizations discover their own exposed test environments.

The company urges organizations to ensure their testing or training environments are properly inventoried, audited for exposure, isolated from production environments and only attached to identities with the least privileges necessary for their purpose. Temporary resources, such as those meant for demos or testing, should also be set to automatically expire in order to reduce potential attack surface.

An In-Depth Guide to Cloud Security

Get essential knowledge and practical strategies to fortify your cloud security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds