An interesting attack vector which uses empty terraform providers and a modified state file to execute code!
There’s lots to be excited about as a red teamer and scared of as a blue teamer, but at the top of the list is that the attack does not require a “terraform apply”. Even if the human reviewing this plan doesn’t approve it, the code has already executed.
— Daniel Grzelak
Read the full article on https://blog.plerion.com/hacking-terraform-state-privilege-escalation/