Damn Vulnerable' Training Apps Leave Vendors' Clouds Exposed

Security vendors have been leaving deliberately insecure training applications on the public Internet, and attackers have been taking advantage of them to breach their cloud environments.
In a newly published report, Pentera researcher Noam Yaffe highlights another lesser known but potentially more dangerous backdoor into organizations; a backdoor that, ironically, is more common among cybersecurity vendors than among anyone else: cybersecurity training applications. Insecure by design, hackers are already leveraging these all too often over-permissioned and exposed programs to access IT systems at major security vendors like F5, Cloudflare, and Palo Alto Networks.
Yaffe recalls that when he and a colleague were assessing a client’s cloud security posture, they found an app that looked broken. He realized, “It was called ‘Hackazon.’ And I was like: Oh, it’s what they call a ‘damn vulnerable app.’” Developed by Deloitte, Hackazon is a mock e-commerce site with software vulnerabilities built in. Yaffe’s client ran the app directly in production, on the company’s very real Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instance. He picked at an insecure file upload vulnerability, obtained the power of remote code execution (RCE), jumped from the fake site to the real cloud instance’s metadata service, and nabbed credentials. It turned out that not only did Hackazon have an identity and access management (IAM) role attached, but the role read “AdministratorAccess.” “So we got the credentials, we connected to the full cloud environment, and then we gained lateral movement, being administrators of the client’s whole cloud environment,” Yaffe recalls.
Using open source (OSS) scanning tools, he probed the Web for more instances of Hackazon, and other damn vulnerable apps like it, including OWASP Juice Shop, Damn Vulnerable Web Application (DVWA), and Buggy Web Application (bWAPP). He found more than 10,000, then verified that 1,926 of them were active and accessible from the internet. They were deployed across 1,626 unique servers, though he chose to focus only on the 974 that ran on either AWS, Google Cloud (GCP), or Microsoft Azure. Of those 974, 165 had identity and access management (IAM) roles attached; 109 were overpermissioned, granting Yaffe ample ability to reach deeper and move laterally within the victim organization’s cloud environment. The problem is far worse than this, as Yaffe only studied the problem for a few months and did not test the 652 vulnerable servers that were self-hosted or deployed to less popular cloud platforms, which carry the same risks.
With temporary cloud credentials in hand, it took Yaffe no time at all to realize the kinds of organizations he was now penetrating: large, global ones, Fortune 500 companies, and the like. For instance, when exploiting a company that used DVWA, Yaffe penetrated its underlying cloud infrastructure, recalling, “I was going into the organization’s settings, and I saw the account was connected to Palo Alto Networks. And I was like, ‘All right, I’m an admin inside of infrastructure at Palo Alto.’” Ironically, the companies that are so vulnerable — those that most often use damn vulnerable apps — are typically in the cybersecurity industry.
To read the complete article see: Dark Reading