Full Report
Cybersecurity researchers have disclosed two new attack techniques against infrastructure-as-code (IaC) and policy-as-code (PaC) tools like HashiCorp's Terraform and Styra's Open Policy Agent (OPA) that leverage dedicated, domain-specific languages (DSLs) to breach cloud platforms and exfiltrate data. "Since these are hardened languages with limited capabilities, they're supposed to be more
Analysis Summary
# Cybersecurity Blind Spots in IaC and PaC Tools Expose Cloud Platforms to New Attacks
## Key Points
- Researchers disclosed two new attack techniques targeting Infrastructure-as-Code (IaC) and Policy-as-Code (PaC) tools, specifically impacting users of HashiCorp Terraform and Styra's Open Policy Agent (OPA).
- The techniques exploit vulnerabilities within the Domain-Specific Languages (DSLs) used by these tools, enabling attackers to breach cloud platforms and exfiltrate data.
- The primary attack vector involves gaining unauthorized access (e.g., via a compromised access key) to insert a malicious policy into an OPA server.
- This malicious policy leverages built-in OPA functions designed for legitimate operations for malicious data exfiltration.
## Threat Actors
- Threat actors were not explicitly named or attributed in the provided context.
- The threat stems from supply chain compromise where an attacker inserts malicious code/policies.
## TTPs
- **Policy Injection:** An attacker inserts a malicious Rego policy into an OPA server post-compromise of access keys.
- **Data Exfiltration via `http.send`:** The malicious Rego policy uses the built-in OPA function `http.send` during the policy decision phase to exfiltrate credentials or data externally.
- **Data Exfiltration via DNS Tunneling:** If `http.send` is restricted, attackers can utilize the `net.lookup_ip_addr` function to smuggle data out of the OPA deployment via DNS lookups (DNS tunneling).
## Affected Systems
- **Tools:** Styra Open Policy Agent (OPA) and HashiCorp Terraform mentioned as examples of systems using DSLs under scrutiny.
- **Languages/Components:** Rego query language (used by OPA).
- **Environment:** Cloud-native environments managed by OPA, including microservices, CI/CD pipelines, and Kubernetes.
## Mitigations
- **Restrict/Monitor `http.send`:** Organizations using OPA should restrict or closely monitor the use of the built-in `http.send` function within Rego policies due to its suitability for data exfiltration.
- **Restrict/Monitor `net.lookup_ip_addr`:** The function `net.lookup_ip_addr` should also be restricted or monitored as it can be abused for data exfiltration via DNS tunneling.
- **Supply Chain Security:** Secure access keys and implement strong controls around who can modify policies on OPA servers, addressing the initial compromise vector.
## Conclusion
The security of IaC and PaC tools, while designed to be specialized and inherently more secure than general-purpose languages, still harbors exploitable blind spots. Attackers can leverage built-in functions within the policy languages (Rego) to execute unauthorized network activity for credential or data exfiltration (via HTTP request or DNS tunneling). Strict auditing and restriction of network-related built-in functions in OPA are critical defensive measures.