Paris Olympic Games wins cybersecurity silver – how does your attack surface compare?
Using our own proprietary External Attack Surface Management (EASM) solution, Outpost24’s Sweepatic, we have conducted an attack surface analysis on the Paris 2024 Olympic Games online infrastructure. The Paris 2024 cybersecurity team have done plenty right, but we’ve also highlighted some real-life attack surface risks that have slipped through the gaps (and do so for many organizations) including open ports, SSL misconfigurations, cookie consent violations, and domain squatting.
It’s easy to notice when an organization expands physically. You can see a bigger office, new IT hardware, and more employees. The difference with digital expansion is it could be exploding without anyone really paying attention – it’s too often hidden and ignored. Outpost24’s EASM solution, estimates an organization’s digital footprint doubles every nine months, which is a lot to keep track of.
This is why organizations use EASM to get a full picture of all their public internet-facing assets that could be exploited by attackers. You can see one of the outputs from the Sweepatic EASM platform below – a network graph visualizing an organization’s public-facing digital footprint. This is different from vulnerability management, as it shows you an organization’s unknown as well as known assets.
The best way to understand how EASM works and the value it brings is to look at a live example, so we’ve mapped the entire internet-facing footprint associated with the Olympic Games organizing committee: Paris 2024. Why did we choose the Paris Olympic Games for this research? Mainly because it’s the biggest international sports competition attracting both physical and digital visitors from all over the world. The Olympic Games is a very well-established brand and there will be a spike of online interest as the Paris 2024 games approach.
Just as pickpockets and ticket touts target groups of tourists, cybercriminals will be conscious of increased online traffic towards the Paris 2024 games and will hope to capitalize. The 2020 Tokyo Olympics infrastructure was hit by 450 million cyberattacks – 2.5x times the number seen just over a decade ago at London 2012. This means there’s plenty for an EASM solution to get stuck into. Let’s see what the solution found and which lessons you can take for your own attack surface management.
How did we rate Paris 2024?
In short, pretty good! Not quite a gold medal, but certainly a silver. There are several positive cybersecurity practices to note here, as well as some risks that tend to show up even for organizations that are doing plenty right. We started with asset discovery, to build a picture of all Paris 2024’s domains, subdomains, hosts, web applications and 3rd party cloud resources. You can see a visual representation of this in the network graph below. From there, we were able to dig into specific risks and vulnerabilities.
Stijn Vande Casteele, CSO of Outpost24’s EASM had this to say about the findings: “While we found several attack surface risks to analyze, it would be fair to say the overall cybersecurity posture of the Paris 2024 Olympic Games was good. A few years ago, we analyzed the attack surface of FIFA’s 2018 Russia World Cup, which had an alarming number of outdated hosts and potential entry points into their infrastructure.
“In comparison, it’s clear more cybersecurity effort has been taken by the Paris 2024 cybersecurity team. But even though we’d consider the Paris 2024 games as a ‘good’ example of how to manage an attack surface, it isn’t perfect (as perfection rarely exists with cybersecurity). The risks we’ll explore in the next section highlight the value of having an EASM solution in place to automatically pick up on the attack surface risks that inevitably fall through the gaps.”
What we found: Analyzing the risks
It’s worth noting the following risks aren’t unique to Paris 2024. These issues are nothing we haven’t seen before, as many organizations don’t have a great handle on their internet-facing assets – you may even have some of these issues lurking in your own attack surface! If you’re keen to know how your own attack surface stacks up, you can book a free attack surface analysis with Outpost24 now.
Open ports
Open ports aren’t inherently risky but if they aren’t properly configured, hackers can use them to exploit software vulnerabilities and access confidential information. Unprotected ports essentially disclose your network and IT stack to attackers, allowing them to eavesdrop on your running services, pinpoint weaknesses, and strategically plan targeted attacks. EASM gives you a full view of open ports across your organization to assess risk.
We didn’t find an unusually high number of risky open ports for Paris 2024, but digging into the results deeper showed there were a couple of potentially interesting ones. As you can see in the below charts, there were two exposed remote access ports (SSH servers). These could be susceptible to brute-force attacks and should be high priorities to resolve. Such attacks can lead to data breaches, the theft of intellectual property, as well as financial and reputational damage. Bear in mind many brute-forcing scripts only try to connect to TCP port 22, so it can be worthwhile changing your default port.
SSL misconfigurations
SSL misconfigurations are some of the most common issues we find when assessing an attack surface. They occur when SSL certificates are improperly set up or managed, which can lead to vulnerabilities within your organization’s network. These mistakes can include outdated encryption algorithms, incorrect certificate setup, expired SSL certificates, and directly affect an organization’s attack surface by creating possible entry routes for hackers.
Identifying SSL misconfigurations without a comprehensive EASM solution is challenging. Most traditional security tools simply don’t have the capacity to monitor and analyze all of your organization’s internet-facing assets. As you can see below, our EASM solution found Paris 2024 had 31 domains (5.8%) with invalid SSL and 86 domains (16%) with no SSL at all. In some cases, redirects hadn’t been set up properly, three domains had expired certificates (possibly forgotten assets), and in others there were redirects with short-lived HSTS.
In addition, we noted that out of 294 websites, 257 had security header issues. When you visit any website in a browser, the browser sends some request headers to the server and the server responds with HTTP response headers. Security headers are used by the client and server to share information as a part of the HTTP protocol. These headers protect websites from some common attacks like XSS, code injection, and clickjacking.
One interesting example we pulled out was a section of the staging environment to do with ticketing. A staging environment should always be properly shielded with an HTTPS login as a minimum layer. Ticketing isn’t an area an organization would want to have exposed communications, as customer PII (personally identifiable information) and financial details are involved.
Domain squatting
Domain squatting (or cybersquatting) involves buying or registering domains with the intent to fraudulently profit from an organization’s trademark. It leads to fake websites that look trustworthy and are usually designed to illegally earn money directly or indirectly. They can also steal sensitive information like passwords or other credentials that can be sold on the dark web.
Outpost24’s EASM’s domain discovery feature makes it easy for an organization like the Olympic Games to find domain squatters and protect themselves from future issues. The domains it discovers may be related or unrelated to an organization’s scope in a good or bad way. Admins can dismiss the discovered domains as unrelated, add them to a list to be scanned, or monitor suspicious ones for changes over time.
In this case, we can already see some domain names regarding the Paris 2024 Olympic Games have been bought and put up for sale. We even found some for the 2028 Olympic Games in Los Angeles, with cybersquatters preparing years in advance for interest to spike in that event. The below list contains potential ‘typosquatting’ domains like oaris2024.org and paris224.org which are misspellings that looks similar to the real event page. We would need to run further analysis on who registered the domains (the registrant) to confirm threat actor involvement. On the other hand, it’s possible these were registered by the Paris 2024 team as a preventative step to keep them out of the hands of bad actors.
Cookie consent violations
Cookies track users, however there are certain rules and regulations around how a business can use them, often differing depending on your location. We detected over 20 cookie consent violations in this case. This means that cookies were set to users’ browsers without their permission, which could have GDPR implications for Paris 2024.
The GDPR requires a website to only collect personal data from users after they have given their explicit consent to the specific purposes of its use. End-user consent to cookies is the GDPR’s most used legal basis, so it would be something worth looking into to make sure they’re covered. This is a valuable feature for any organization working with EU customers.
Other risks and cyber hygiene issues
- 404s and empty pages: These unused pages might seem harmless enough, but they at best do nothing and at worst needlessly expose web servers and increase your attack surface. It’s much better to simply take them down. The more you have exposed, the more monitoring and potential remediation is needed.
- Outdated software and technologies: We detected some outdated technologies with known exploited vulnerabilities (KEVs) in use across the Paris 2024 infrastructure, such as Varnish 6.5. These are particularly risky, as they have known vulnerabilities for threat actors to exploit. For example, a website was detected with Handlebars 4.0. This is relevant as versions of handlebars prior to 4.3.0 are vulnerable to prototype pollution leading to remote code execution.
- Leaked credentials: For most organizations, passwords are their weakest link and the easiest route in for hackers. We found one set of compromised credentials that had been stolen by LUMMAC2 malware. This could have happened in two ways: the employee may have accidentally downloaded the malware onto their work device, or they used their work login credentials on a malware-infected personal device. Either way, the organization needs a way to detect compromised passwords and enforce password changes.
Lessons to takeaway
The Paris 2024 analysis highlights the need for tools that give you full visibility. As even though this organization is doing a lot right with their cybersecurity, there are still several risks in their attack surface that need dealing with – some urgently. An EASM solution gives IT experts access to ongoing asset discovery and continuous analysis and monitoring of changes in their attack surface. It’s ongoing and automated, giving real-time and prioritized observations of current attack surface risks – both known and unknown.
Using EASM to stay on top of issues like domain squatting is vital for protecting your brand’s reputation and reducing the risk of impersonation attacks. We can see the lengths the Paris 2024 organization went to in order to protect their brand, although it still wasn’t enough in some areas. Improving your overall ‘cyber hygiene’ reduces your attack surface, helps keep you compliant with regulations such as NIS2, and projects a better image to customers – many of whom might only ever interact with your business online.
How does your organization compare?
Find out how your organization’s attack surface score stacks up. Run an attack surface analysis to identify areas your cybersecurity is strong as well as some areas where you need to address vulnerabilities. Book your free attack surface analysis today.
Disclaimer: This analysis was conducted externally by Outpost24, using its proprietary External Attack Surface Management (EASM) platform, Sweepatic. Outpost24’s EASM finds and analyzes public IT assets that are connected to the internet by simulating normal internet traffic, passive discovery, and testing techniques. Outpost24 is not connected to the infrastructure or business processes of the Paris Olympic Games Committee.