Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Publicly exposed training and demo apps in cloud environments are being abused at scale

Target Trend
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

Publicly exposed training and demo applications are showing up at scale in AWS, Azure, and GCP, turning lab systems into real cloud footholds. Researchers verified nearly 2,000 live instances, and about 20% already contained malicious artifacts such as crypto-mining, webshells, and persistence tools. The findings matter because these apps were often connected to privileged cloud identities, letting attackers move beyond the vulnerable application into broader infrastructure.

Related Happenings

Unit 42 Zealot proves autonomous cloud attack chaining in GCP

Technical Analysis
First: 23.04.2026 13:00 Last: 23.04.2026 13:00 Sources 1

About this happening: **Unit 42's Zealot PoC** shows autonomous AI can chain cloud attack stages in a live **Google Cloud Platform** environment, shrinking defender reaction time to minutes. The system...

Open Happening

XM Cyber maps eight validated AWS Bedrock attack vectors across connected enterprise integrations

Technical Analysis
First: 23.03.2026 13:55 Last: 23.03.2026 13:55 Sources 1

About this happening: **XM Cyber** mapped **eight validated attack vectors** in **AWS Bedrock**, showing how over-privileged permissions can expose logs, knowledge bases, agents, flows, guardrails, and...

Open Happening

AWS Bedrock AgentCore Code Interpreter DNS exfiltration and covert C2 in Sandbox Mode

Technical Analysis
First: 16.03.2026 15:00 Last: 16.03.2026 15:00 Sources 1

About this happening: Researchers demonstrated **DNS-based exfiltration** and covert **C2** against **AWS Bedrock AgentCore Code Interpreter**, showing cloud AI code execution environments can still le...

Open Happening

Elastic Cloud SIEM stolen-data campaign

Campaign
First: 09.03.2026 17:45 Last: 09.03.2026 17:45 Sources 1

About this happening: The **Elastic Cloud SIEM** abuse campaign has been uncovered across **dozens of organizations**, turning a legitimate security platform into a stolen-data hub and increasing opera...

Open Happening

BeyondTrust Remote Support and Privileged Remote Access CVE-2026-1731 active exploitation wave

Exploitation Wave
First: 12.02.2026 23:34 Last: 12.02.2026 23:34 Sources 1

About this happening: **CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access** is now seeing **first in-the-wild exploitation**, putting exposed appliances at risk of remote...

Open Happening

Timeline

  1. 11.02.2026 13:30 2 articles · 3mo ago

    Exposed training apps abused across cloud accounts

    Campaign Scope Update

    Pentera Labs identified a recurring cloud-abuse pattern in publicly exposed training and demo applications such as OWASP Juice Shop, DVWA, Hackazon, and bWAPP: nearly 2,000 live instances were verified, about 60% on customer-managed AWS, Azure, or GCP infrastructure, and roughly 20% contained malicious artifacts including crypto-mining, webshells, and persistence mechanisms. The exposed systems were often deployed with default configurations, minimal isolation, and overly permissive cloud roles, creating a foothold that could extend into broader cloud resources at organizations including Palo Alto, F5, and Cloudflare.

    Show sources
    Open in new tab