### #InfrastructureSecurity #PolicyExploitation #CloudBreach
Summary: Cybersecurity researchers have revealed new attack techniques targeting infrastructure-as-code (IaC) and policy-as-code (PaC) tools, specifically HashiCorp’s Terraform and Open Policy Agent (OPA), which exploit domain-specific languages to compromise cloud platforms and exfiltrate sensitive data. Despite their enhanced security features, these tools are not immune to sophisticated attacks that leverage their inherent functionalities.
Threat Actor: Unknown | unknown
Victim: Organizations using IaC and PaC tools | organizations using IaC and PaC tools
Key Point :
- Attackers can exploit compromised access keys to insert malicious Rego policies into OPA servers, enabling unauthorized actions.
- Even with restrictions, attackers can utilize the “net.lookup_ip_addr” function for data exfiltration via DNS tunneling.
- In Terraform, malicious changes can be executed during the CI/CD process through unreviewed “terraform plan” commands in pull requests.
- Recommendations to mitigate risks include implementing granular RBAC, application-level logging, and preventing automatic execution of unreviewed code.
- Utilizing IaC scanning tools like Terrascan and Checkov can help identify misconfigurations before deployment.
Cybersecurity researchers have disclosed two new attack techniques against infrastructure-as-code (IaC) and policy-as-code (PaC) tools like HashiCorp’s Terraform and Open Policy Agent (OPA) that leverage dedicated, domain-specific languages (DSLs) to breach cloud platforms and exfiltrate data.
“Since these are hardened languages with limited capabilities, they’re supposed to be more secure than standard programming languages – and indeed they are,” Tenable senior security researcher Shelly Raban said in a technical report published last week. “However, more secure does not mean bulletproof.”
OPA is a popular, open-source policy engine that allows organizations to enforce policies across cloud-native environments, such as microservices, CI/CD pipelines, and Kubernetes. Policies are defined using a native query language called Rego which is then evaluated by OPA to return a decision.
The attack method devised by Tenable targets the supply chain, wherein an attacker gains unauthorized access through a compromised access key to insert a malicious Rego policy to an OPA server, which is subsequently used during the policy decision phase to allow malicious actions like credential exfiltration using a built-in function known as “http.send.”
Even in instances where an OPA deployment restricts the use of http.send, the cybersecurity firm found that it’s possible to utilize another function named “net.lookup_ip_addr” to smuggle the data using DNS lookups via a technique referred to as DNS tunneling.
“So, the net.lookup_ip_addr function is another function you might consider restricting or at least looking out for in policies, since it also introduces the risk of data exfiltration from your OPA deployment,” Raban said.
Terraform, similar to OPA, aims to simplify the process of setting up, deploying, and managing cloud resources through code-based definitions. These configurations can be set up using another declarative DSL called HashiCorp Configuration Language (HCL).
An attacker could target the open-source IaC platform by taking advantage of its “terraform plan” command, which are typically triggered as part of GitHub “pull_request” workflows, to execute unreviewed changes containing a malicious data source during the CI/CD process.
“This poses a risk, as an external attacker in a public repository or a malicious insider (or an external attacker with a foothold) in a private repository could exploit a pull request for their malicious objectives,” Tenable noted. “Data sources run during ‘terraform plan,’ which significantly lowers the entry point for attackers.”
These data sources, in turn, could be a rogue external data source, a Terraform module, or a DNS data source, necessitating that only third-party components from trusted sources be used. Some of the other recommendations to mitigate such risks include –
- Implement a granular role-based access control (RBAC) and follow the principle of least privilege
- Set up application-level and cloud-level logging for monitoring and analysis
- Limit the network and data access of the applications and the underlying machines
- Prevent automatic execution of unreviewed and potentially malicious code in CI/CD pipelines
Furthermore, organizations can use IaC scanning tools and solutions like Terrascan and Checkov to preemptively identify misconfigurations and compliance issues prior to deployment.
Source: https://thehackernews.com/2024/11/cybersecurity-flaws-in-iac-and-pac.html