Malicious actors have pounced on a pair of critical vulnerabilities found in SaltStack's open-source, event-based IT automation and configuration management tool Salt. In a series of quick strikes over the weekend, one or more attackers exploited the flaws -- disclosed and patched just days earlier -- to compromise the "Salt master" servers of several prominent users, including the Ghost blogging platform, the open-source mobile operating system LineageOS, and SSL certificate provider DigiCert.
The disruptive attacks highlight what some cyber experts say is an overlooked or underestimated threat vector among developers: Infrastructure-as-Code (IaC). Considered a key element of DevOps practices, IaC tools such as Salt typically allow developers to use code to automate the managing and provision of complex computer infrastructure environments, helping them avoid configuration discrepancies between machines that can hold up software deployments that might otherwise require manual intervention. But it's these helpful capabilities that can also make the exploitation of IaC tools uniquely dangerous.
"To understand the potential implications of an IaC, one must remember that IaC is designed to accomplish two fundamental objectives: consistency and speed," said Bill Santos, president and COO of Cerberus Sentinel. "IaC tools are designed to quickly deploy and update large environments in a very standardized way very quickly. The implication to an exploited IaC is significant: Whereas the consistency and speed is advantageous for 'approved' changes, an exploited change will get deployed equally quickly and equally consistently across that same environment, dramatically increasing its impact vs. other exploit approaches."
Please register to continue.
Already registered? Log in.
Once you register, you'll receive:
The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.
Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.
SC Media’s essential morning briefing for cybersecurity professionals.
One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.