Key Takeaways:
- Cybersecurity vendors have been leaving deliberately insecure training applications on the public Internet, which attackers are using to breach their cloud environments.
- These training applications, such as Hackazon, OWASP Juice Shop, and DVWA, are designed to be vulnerable and are used to train cybersecurity professionals, but they can also be used by attackers to gain access to an organization’s cloud environment.
- Over 10,000 instances of these vulnerable applications were found on the internet, with 1,926 of them being active and accessible.
- 165 of the instances had identity and access management (IAM) roles attached, and 109 were over-permissioned, allowing attackers to move laterally within the victim organization’s cloud environment.
- Major security vendors, including F5, Cloudflare, and Palo Alto Networks, have been exposed to these vulnerabilities.
Introduction to the Problem
Security vendors have been leaving deliberately insecure training applications on the public Internet, and attackers have been taking advantage of them to breach their cloud environments. These training applications, such as Hackazon, are designed to be vulnerable and are used to train cybersecurity professionals, but they can also be used by attackers to gain access to an organization’s cloud environment. In a recent report, Pentera researcher Noam Yaffe highlighted the risks associated with these applications and demonstrated how they can be used to breach the cloud environments of major security vendors.
The Discovery of Vulnerable Training Applications
Yaffe’s discovery of the vulnerable training applications began when he was assessing a client’s cloud security posture and found an application that looked broken and didn’t seem to be a part of the client’s product. After investigating further, he realized that the application was called Hackazon, a mock e-commerce site with software vulnerabilities built in. The application was running directly in production on the client’s Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instance, and Yaffe was able to exploit a vulnerability to gain remote code execution (RCE) and access the client’s cloud environment.
The Full Scope of the Risk
Yaffe’s next question was whether this might not be the only company whose training program doubled as a doormat for cyberattackers. Using open-source scanning tools, he probed the Web for more instances of Hackazon and other vulnerable applications, and found over 10,000 instances, with 1,926 of them being active and accessible from the internet. He verified that 165 of the instances had identity and access management (IAM) roles attached, and 109 were over-permissioned, allowing attackers to move laterally within the victim organization’s cloud environment.
Major Security Vendors Exposed
The problem is even more severe because the companies that are most vulnerable to these attacks are typically in the cybersecurity industry. Yaffe’s research found that major security vendors, including F5, Cloudflare, and Palo Alto Networks, had exposed instances of these vulnerable applications. In one case, Yaffe was able to penetrate the cloud infrastructure of a company that used DVWA and found that the account was connected to Palo Alto Networks, giving him administrative access to the infrastructure.
The Attacker’s Motivation
Yaffe’s research also found that attackers are already exploiting these vulnerabilities to gain access to organizations’ cloud environments. Out of 616 Web servers running DVWA, 20% contained artifacts from cyberattacks, including the XMRig cryptominer. However, it is unclear why attackers are stopping at cryptomining, given the potential for complete organizational compromise. Yaffe has notified the affected companies and encouraged them to check for any other malicious activity.
Conclusion
The discovery of vulnerable training applications on the public Internet highlights the need for organizations to be more careful about what they expose to the internet. These applications, while useful for training purposes, can also be used by attackers to gain access to an organization’s cloud environment. It is essential for organizations to ensure that these applications are properly secured and not exposed to the internet, and for security vendors to take responsibility for securing their own environments. By taking these steps, organizations can reduce the risk of being breached through these vulnerable applications.
