Cybersecurity researchers found two new ways for bad guys to attack tools called Terraform and OPA that help companies keep their cloud stuff safe. These tools use special languages that are supposed to be more secure than regular coding languages, but they're not totally unbreakable.
Shelly Raban, who's a big deal in security at Tenable, said in a report that even though these languages are tougher, they're not completely invincible. OPA has this cool feature called Rego that checks policies and makes decisions, but if someone sneaks in and puts a bad policy on the server, it can let hackers do naughty things like taking sensitive info (exfiltrate data).
They figured out that even if you don't let the server use the "http.send" function to take the info out, there's another way using something called "DNS tunneling" with a function named "net.lookup_ip_addr." It's like hiding data in plain sight by pretending it's just a regular internet look-up.
Terraform is another tool that lets people use code to manage cloud resources, and it's got a command called "terraform plan." This can be a problem if someone tries to sneak in a bad change during the coding review part (pull_request) because it doesn't always need someone to check it first. That means hackers could use it to get into the system and do bad stuff.
To stop these shenanigans, Tenable suggests some things like being super picky about who can access the tools and what they can do with them, keeping an eye on what apps do, and not letting them run wild without checking them first. They also say it's a good idea to use tools like Terrascan and Checkov to spot any mistakes or issues before they go live.
So, companies need to be careful with these tools and watch out for any funny business, especially when it comes to letting people they don't totally trust use them or when code changes are happening. It's like making sure you don't leave your diary open for anyone to read or write in it!