IT Security at the Paris Olympic Games: Critical Vulnerabilities Discovered
Major sporting events are attractive targets for malicious actors looking to sow chaos, and the upcoming Olympic Summer Games in Paris is perhaps the biggest prize of the year.
The Games, which run from July 26 to August 11, will be attended by 325,000 people and watched by more than a billion people globally.
However, an IT security assessment conducted by Outpost24 on the upcoming event uncovered several critical vulnerabilities that could potentially compromise the integrity and security of the Games. Among the identified weaknesses, open ports were flagged as a significant concern, with two exposed remote access ports (ssh servers) found susceptible to brute-force attacks if not properly configured.
- The report cited SSL misconfigurations as another notable risk, with 31 domains (5.8%) exhibiting invalid SSL certificates and 86 domains (16%) lacking SSL altogether, creating potential entry points for hackers.
- Security header issues were also prevalent, affecting 257 out of 294 associated websites, leaving them vulnerable to common attacks such as XSS and code injection.
- More than 20 instances of cookie consent violations were identified, highlighting potential breaches of user privacy regulations such as GDPR.
- Additionally, signs of domain squatting were observed, raising concerns about deceptive websites aiming to exploit the Olympic brand for illicit profits and compromising user security.
Other cyber hygiene issues included numerous 404 errors and empty pages, outdated software and technologies, and the discovery of leaked credentials stolen by the LUMMAC2 malware.
Paris Gets Silver for Security Posture
Despite the Outpost24 findings, the company awarded the overall security posture a “silver medal.” The report noted that, while there were several attack surface risks to analyze, the overall cybersecurity posture of the Paris Games was good.
Cybersecurity has become a central issue for the games, not only for organizers and spectators but also for the athletes themselves. Official Olympic apps have also been found to be extremely insecure.
Other concerns include sophisticated bot attacks, account takeover (ATO) and credential stuffing activity, and various social engineering scams.
“The Paris 2024 organization is operating over 800 external web applications residing across more than 16 different cloud providers, showing the diversity of third-party providers from an IT cloud operations perspective,” said Stijn Vande Casteele, chief security officer of Outpost24’s EASM unit. The hosts, with over 90 unique IP addresses, physically reside across the USA, EU and Asia.
Casteele said that, given the volatility and dynamic character of an attack surface and the amount of complexity it raises, it’s a real challenge for risk and security stakeholders to keep everything inventoried and monitored for changes.
Reducing Risks with Cyber Resilience
Domain squatting—the buying or registering domains with the intent to fraudulently profit from an organization’s trademark—is a risk not just for Paris 2024 but an ongoing threat for Olympic hosts in the future. “Threat actors try to register look-a-like domains to prepare attack infrastructure and lure victims in potential phishing campaigns,” Casteele said.
Monitoring domain registrations and analyzing domain squatting candidates are way to get an early warning and avoid further potential impact.
The Paris 2024 analysis highlights the need for “outside-in” tools that give full visibility in the risk exposure. “Even though this organization is doing a lot right with its cybersecurity, there are still several risks in their attack surface that need dealing with – some urgently,” Casteele said.
By focusing on external attack surface management, organizations can access automated asset discovery, continuous analysis and monitoring of changes in their attack surface.
“When reducing the identified risks by implementing good practices (for example, taking things offline that are no longer needed) the organization becomes–and stays–more cyber resilient against threat actors,” Casteele said.
Photo credit: James Ting on Unsplash
