Paris 2024 expected to see “eight to ten times more” cyberattacks than Japan’s 450 million
With Paris 2024 now finished, security teams were braced against the heightened threat of cyberattacks facing this year’s Games. Previous Games, and any large sporting event for that matter, have seen threat actors increase their activity looking to monetise their nefarious efforts. According to the NTT Corporation, the Games in Tokyo 2021 experienced an estimated 450 million cyberattacks and it looks like Paris will face similar activity. The head of technology for Paris 2024 has said that he anticipates “eight to ten times more” cyber attacks than Japan.
As of July 31, French authorities said they’d successfully thwarted 68 cyberattacks, although the actual number of attack attempts hasn’t yet been quantified. In an unconnected operation announced the night before the opening ceremony [July 25], French authorities disclosed that they’d launched an operation to clean up a network of bots suspected of infecting computers with PlugX malware that had struck millions of users worldwide including 3,000 in France.
This malevolent activity highlights the necessity for ongoing vigilance and security measures. By looking at what has gone before, it is possible to determine the types of cyber threats the games could be facing and the techniques criminals will use.
Ransomware attacks have been dominating headlines in recent years and the Games will be a promising target. Threat actors will be all too aware that any disruption to services would be devastating. This could mean organisations are more vulnerable to extortion in an effort to resolve any outages as quickly as possible.
Ten years ago a ransomware attack was really obvious. The computer (PC) was bricked with a ransomware demand displayed on the screen. Today attacks are less obvious and can go undetected for a few weeks as threat actors look to obfuscate their presence allowing them to creep around infrastructure for nefarious purposes.
To deploy ransomware and exfiltrate data, threat actors rely heavily on phishing, credential theft, as well as exploitation of known and exploitable vulnerabilities left unpatched by unsuspecting organisations. These include vulnerabilities used as part of malicious documents, vulnerabilities found in perimeter devices like Secure Socket Layer Virtual Private Networks (VPNs), as well as a plethora of flaws designed to elevate privileges once inside an organisation’s network.
At the end of July, Microsoft reported that several ransomware groups were targeting virtual machines as part of their attack chains, actively exploiting a VMware ESXi authentication bypass vulnerability (CVE-2024-37085), which can have a crippling effect on an impacted organisation. These financially motivated groups are quick to encrypt or lock as many hosts as possible, maximising the impact to a victim organisation in hopes of a handsome ransom payment.
The 2016 Rio Olympics faced DDoS attacks reaching up to 540 Gbps, while the 2020 Tokyo Olympics weathered an astounding 450 million attack attempts. It is thought that the Paris Games could face an even more severe onslaught, given the current global cybersecurity climate. While a connection hasn’t been made to Paris 2024, on July 30 Microsoft confirmed that it had suffered a DDoS attack causing outages globally.
Today’s modern DDoS attacks are sophisticated, often larger in scale than eight or even three years ago, and will often utilise a vast network of botnets compromised IoT devices (such as Mirai botnet) to execute multi-vector assaults targeting different infrastructure layers simultaneously. These attacks often focus on the application layer, mimicking legitimate user behaviour to evade detection. Common vulnerabilities that can lead to significant service disruptions if not properly addressed include misconfigured rate limiting, faulty load balancing, improper caching, errors in web application firewall (WAF) settings, and exploitable vendor software and hardware
A concern with DDoS attacks is that they could act as a distraction for security teams, providing an opportunity to target critical systems that will already be running at full capacity. While everyone is focused on what appears to be the key threat, aka the DDoS attack, hackers could be using this to divert attention allowing them to sneak in a less conspicuous window.
There were 10 million tickets on sale for the Paris 2024 Olympic Games, with ticket prices ranging from €24 to over €980, sold through online ticketing websites. This presents an opportunity too good for scammers to miss which could see them target consumers using email addresses obtained from past data leaks, underground forums or simply pre-generated lists. Promises of free, discount, or incredible seats may be used as lures in order to catch their unsuspecting fish (phishing) into visiting malicious websites or clicking dangerous links where tainted software may be offered.
Ahead of the Games, France’s national police force said it had identified more than 300 websites set up by cybercriminals to sell fake tickets. While the golden rule of “if it sounds too good to be true, it probably is” applies here, recipients of these emails may ignore best practices and follow these malicious links.
Typosquatting Domains and Illegal Streaming
Typosquatting occurs when malicious actors register domain names that resemble a popular or widely used website. With control over these domains, the attacker may attempt to clone that website and use their creation to collect sensitive data, financial information or to attempt to entice a visitor to download malicious software. While typosquatting is not a new technique, attackers continue to find success with this technique. As mentioned previously, this type of activity has already targeted Paris 2024.
Some modern web browsers make attempts to protect against this attack scenario, however, there’s no foolproof way to offer protection and browsers may be limited to checking for common misspellings of only top websites and services. With a worldwide event as popular as the Olympic Games, malicious actors will make attempts to get users to visit their malicious websites and offers of streaming the matches, prize giveaways or other tricks may attract unsuspecting users.
Given the political and geopolitical situation in France currently, hackers could see the Games as an opportunity too good to pass over. While we’ve seen in person attacks this year, such as arson against the railway on the day of the Opening Ceremony, it’s not beyond the realms of possibility that these move into the realm of cyberattacks targeting CCTV, security gates, ticket turnstiles, travel infrastructure or even energy providers.
Another avenue that could be targeted are the sound systems and big screens within venues, or even online streaming platforms, with inflammatory messages and other defacing efforts.
The opening ceremony of the PyeongChang 2018 Winter Olympic Games is a case in point. It suffered a massive cyberattack that shut down the official Games website, Wi-Fi hotspots and TV broadcasts. It grounded broadcasters’ drones and the back-end servers of the Olympics’ official app. It even affected entry to the ceremony as spectators were unable to load their tickets to gain entry.
Last month Microsoft warned of an intense disinformation campaign aimed at tarnishing the reputation of the International Olympic Committee and stoking fears of violence at this summer’s Games. It’s campaign began before the Games even started when disinformation collective Storm-1679 created an AI-generated video starring a deepfake of Hollywood star Tom Cruise claiming the ‘Olympics Has Fallen’. But it’s not just this year’s event that’s the brunt of its attack given that has a decades-long history of targeting the Olympic Games.
Following the Opening Ceremony, various ‘fake news’ was carried on a number of social media platforms. Amongst them claims that a pro-Christian protest had taken place in Paris; that French dancer Germain Louvet exposed his genitals during the opening ceremony; and that the ceremony was in fact a satanic ritual.
For those organisations either directly involved in delivering the Games, or those associated by sponsorship, priority actions they should take with immediate effect to bolster defences are:
- Determine a full inventory of core infrastructure, with all software updated, patches applied and user permissions revised, prior to implementing a system freeze.
- Admin accounts should be identified and access bolstered with multi-factor authentication.
- Access and identity management should be carefully considered, with accounts only created in exceptional circumstances, over the next few months.
- Continuous monitoring, looking for signs of abnormal behaviour or suspicious activity, should be implemented
- Security teams should remain on standby, ready to take immediate action should a critical vulnerability be identified that is being exploited in the wild
Beyond the Games, strong security requires an all-attack surface view of cyber risk, with complete visibility into every asset and risk across multi-cloud, identities, hybrid apps, unmanaged devices, OT and IoT, and on-prem IT. It’s about understanding what is critical for the business to function, whether that’s systems or data, then address the risks these systems face first. Doing so means the vast majority of attack paths will be closed off, preventing compromise, malware infiltration and/or exfiltration of data.
Organisations need a single source of truth, that unifies one view of risk across all assets, connects the dots between the lethal risk relationships that span solution silos and brings together disparate teams with the intelligence they need to do battle to protect against attacks as one.
They need to know their weaknesses with an all-inclusive view of cyber risk that uncovers the truth about deadly gaps across all assets and attack pathways. They need to expose their risk by identifying, understanding and quantifying the cyber weaknesses with the greatest potential to erode the enterprise’s value, reputation and trust. And then take swift action to close the priority cyber exposures anywhere to reduce business risk everywhere.
By radically unifying security visibility, insight and action across the attack surface, modern organisations are equipped to protect themselves against attacks from IT to the cloud to OT and everywhere in between.
About the Author
Bernard Montel is Technical Director and Security Strategist at Tenable. Tenable is the exposure management company, exposing and closing the cybersecurity gaps that erode business value, reputation and trust. The company’s AI-powered exposure management platform radically unifies security visibility, insight and action across the attack surface, equipping modern organizations to protect against attacks from IT infrastructure to cloud environments to critical infrastructure and everywhere in between. By protecting enterprises from security exposure, Tenable reduces business risk for more than 44,000 customers around the globe. Learn more at tenable.com.
Featured image: Adobe