• Home
  • cyber
  • Cloudflare, F5 and Palo Alto Networks: Hackers exploit security testing apps to breach Fortune 500 firms
cyber Breach

Cloudflare, F5 and Palo Alto Networks: Hackers exploit security testing apps to breach Fortune 500 firms

Jan 21, 2026 3 min read
Cloudflare, F5 and Palo Alto Networks: Hackers exploit security testing apps to breach Fortune 500 firms

Cybercriminals Exploit Misconfigured Security Training Apps to Breach Fortune 500 Cloud Environments

Threat actors are actively targeting misconfigured web applications used for security training and penetration testing such as DVWA, OWASP Juice Shop, Hackazon, and bWAPP to infiltrate cloud environments belonging to Fortune 500 companies and security vendors. A recent investigation by Pentera, an automated penetration testing firm, uncovered 1,926 exposed, vulnerable instances of these intentionally insecure apps on AWS, GCP, and Azure, many tied to overly permissive IAM (Identity and Access Management) roles.

The exposed applications, often deployed with default credentials or excessive privileges, provided attackers with pathways to cloud storage (S3, GCS, Azure Blob), Secrets Manager access, container registries, and full admin control over compromised environments. Among the affected organizations were Cloudflare, F5, and Palo Alto Networks, all of which have since remediated the issues after being notified by Pentera.

Active Exploitation Confirmed

Pentera’s findings confirmed that the threat was not theoretical attackers had already exploited these misconfigurations to:

  • Deploy crypto miners (primarily XMRig for Monero mining) on compromised systems.
  • Install webshells (e.g., filemanager.php), enabling file manipulation and remote command execution.
  • Establish persistence via a watchdog.sh script, which reinstalled itself from a base64-encoded backup and re-downloaded mining tools from GitHub if removed.

In one case, 20% of the 616 discovered DVWA instances contained malicious artifacts, including AES-256-encrypted tools downloaded from Dropbox and a webshell with hardcoded credentials, suggesting possible ties to operators in Europe/Minsk (UTC+3).

Root Causes & Risks

The vulnerabilities stemmed from:

  • Public exposure of testing apps meant for internal use.
  • Overly permissive IAM roles, violating the least-privilege principle.
  • Default or unchanged credentials, allowing easy takeover.
  • Lack of isolation between testing and production environments.

Pentera’s report highlights the need for organizations to inventory all cloud resources, enforce strict IAM policies, and automatically expire temporary assets to mitigate such risks. The incident underscores how even security-focused firms can fall victim to overlooked misconfigurations in non-production systems.

Source: https://www.bleepingcomputer.com/news/security/hackers-exploit-security-testing-apps-to-breach-fortune-500-firms/

Cloudflare cybersecurity rating report: https://www.rankiteo.com/company/cloudflare

F5 cybersecurity rating report: https://www.rankiteo.com/company/f5

Palo Alto Networks cybersecurity rating report: https://www.rankiteo.com/company/palo-alto-networks

"id": "CLOF5PAL1769009143",
"linkid": "cloudflare, f5, palo-alto-networks",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Cybersecurity',
                        'name': 'Cloudflare',
                        'size': 'Large',
                        'type': 'Security Vendor'},
                       {'industry': 'Cybersecurity',
                        'name': 'F5',
                        'size': 'Large',
                        'type': 'Security Vendor'},
                       {'industry': 'Cybersecurity',
                        'name': 'Palo Alto Networks',
                        'size': 'Large',
                        'type': 'Security Vendor'},
                       {'industry': 'Various',
                        'name': 'Fortune 500 Companies',
                        'size': 'Large',
                        'type': 'Enterprise'}],
 'attack_vector': 'Exposed insecure web applications (DVWA, OWASP Juice Shop, '
                  'Hackazon, bWAPP)',
 'data_breach': {'data_encryption': 'AES-256-encrypted tools observed in some '
                                    'instances'},
 'description': 'Threat actors targeted misconfigured web applications used '
                'for security training and penetration testing (e.g., DVWA, '
                'OWASP Juice Shop, Hackazon, bWAPP) to infiltrate cloud '
                'environments of Fortune 500 companies and security vendors. '
                'Exposed instances on AWS, GCP, and Azure with overly '
                'permissive IAM roles allowed attackers to gain access to '
                'cloud storage, Secrets Manager, container registries, and '
                'admin control. Affected organizations included Cloudflare, '
                'F5, and Palo Alto Networks. Attackers deployed crypto miners, '
                'webshells, and established persistence mechanisms.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage to '
                                       'affected security vendors',
            'operational_impact': 'Deployment of crypto miners and webshells, '
                                  'remote command execution',
            'systems_affected': ['Cloud storage (S3, GCS, Azure Blob)',
                                 'Secrets Manager',
                                 'Container registries',
                                 'Admin-controlled environments']},
 'initial_access_broker': {'backdoors_established': 'Webshells (e.g., '
                                                    'filemanager.php), '
                                                    'watchdog.sh script for '
                                                    'persistence',
                           'entry_point': 'Misconfigured security training '
                                          'apps (DVWA, OWASP Juice Shop, etc.)',
                           'high_value_targets': 'Cloud storage, Secrets '
                                                 'Manager, container '
                                                 'registries'},
 'investigation_status': 'Remediated by affected organizations',
 'lessons_learned': 'Organizations must inventory all cloud resources, enforce '
                    'least-privilege IAM policies, and automatically expire '
                    'temporary assets to mitigate risks from misconfigured '
                    'non-production systems.',
 'motivation': ['Financial gain (crypto mining)', 'Persistence establishment'],
 'post_incident_analysis': {'corrective_actions': ['Remediation of '
                                                   'misconfigurations',
                                                   'Enforcement of '
                                                   'least-privilege IAM '
                                                   'policies',
                                                   'Automatic expiration of '
                                                   'temporary assets'],
                            'root_causes': ['Public exposure of testing apps '
                                            'meant for internal use',
                                            'Overly permissive IAM roles',
                                            'Default or unchanged credentials',
                                            'Lack of isolation between testing '
                                            'and production environments']},
 'recommendations': ['Inventory all cloud resources',
                     'Enforce strict IAM policies',
                     'Automatically expire temporary assets',
                     'Isolate testing and production environments'],
 'references': [{'source': 'Pentera Investigation'}],
 'response': {'containment_measures': 'Remediation of misconfigurations by '
                                      'affected organizations',
              'remediation_measures': ['Inventory of cloud resources',
                                       'Enforcement of strict IAM policies',
                                       'Automatic expiration of temporary '
                                       'assets'],
              'third_party_assistance': 'Pentera (automated penetration '
                                        'testing firm)'},
 'title': 'Cybercriminals Exploit Misconfigured Security Training Apps to '
          'Breach Fortune 500 Cloud Environments',
 'type': 'Misconfiguration Exploitation',
 'vulnerability_exploited': 'Overly permissive IAM roles, default credentials, '
                            'lack of isolation between testing and production '
                            'environments'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.