With the 2024 Olympics’ Opening Ceremony only two weeks away now, there is one thing that’s an absolute guarantee of one thing happening during the traditionally unpredictable games: Cyber attacks. 

Every time there is a new Olympic Games, there’s a renewed discussion about how threat actors, hacktivists and state-sponsored groups are all gearing up to try to disrupt the games in some way. The Opening Ceremony at the 2018 Olympic Games in South Korea was disrupted by a major cyber attack called Olympic Destroyer, briefly pausing ticket-taking operations and taking down several Olympics-related websites. 

And for this year’s Summer Games, France faces an “unprecedented level of threat,” according to the head of the country’s cybersecurity agency.  

That’s because, in our modern day, there is just simply so much to protect. Ninety-nine percent of modern communication occurs over a network at this point, especially when you’re talking about an international event. That means protecting individual inboxes, mail servers, third-party messaging apps, virtual meetings and more. 

Each attendee of the games is going to bring in their own devices, too, and connect to whatever public network the Olympics stands up at the arenas or fields where competitions are taking place. That’s tens of thousands of new potential entry points for threat actors. 

There are also domains, subdomains, hosts, web applications and third-party cloud resources that the Games rely on, all with their own attack surfaces. 

A study from Outpost24 earlier this year found that the security for all these factors is stronger than when Russia hosted the 2018 FIFA World Cup, which came with a similar set of circumstances and popularity to the Olympics.  

Even if a threat actor isn’t successful in some widespread breach that makes international headlines, even smaller-scale threats and actors are just hoping to cause chaos.  

Last month, a fake AI-generated movie trailer seemed to show famous actor Tom Cruise condemning the International Olympic Committee in a fake documentary for Netflix. That made its rounds on Telegram, along with many threats around terrorist attacks in the hope of scaring attendees away and making the Games seem under-attended. 

Other actors are just looking to spread general misinformation, capitalizing on recent protests and elections in France to, in their mind, sow chaos in an already chaotic time for the country. 

France has been preparing for the bevy of threats with hundreds of penetration tests, tabletop exercises and, of course, partnering with Cisco to protect the Olympic Games.  

The one big thing 

Based on a comprehensive review of more than a dozen prominent ransomware groups, Talos identified several commonalities in tactics, techniques and procedures (TTPs), along with several notable differences and outliers. Talos’ studies indicate that the most prolific ransomware actors prioritize gaining initial access to targeted networks, with valid accounts being the most common mechanism. Phishing for credentials often precedes these attacks, a trend observed across all incident response engagements, consistent with our 2023 Year in Review report. Over the past year, many groups have increasingly exploited known and zero-day vulnerabilities in public-facing applications, making this a prevalent initial access vector. 

Why do I care? 

Key findings indicate that many of the most prominent groups in the ransomware space prioritize establishing initial access and evading defenses in their attack chains, highlighting these phases as strategic focal points. Within the past year, many groups have exploited critical vulnerabilities in public-facing applications, becoming a prevalent attack vector, which we addressed later, indicating an increased need for appropriate security controls and patch management. Ransomware actors also continue to apply a significant focus to defense evasion tactics to increase dwell time in victim networks. 

So now what? 

Our blog post includes several recommendations for how potential targets can protect against the TTPs these groups use. That includes consistently applying patches and updates to all systems and software to address vulnerabilities promptly and reduce the risk of exploitation and implement strong password policies that require complex, unique passwords for each account. Additionally, enforce multi-factor authentication (MFA) to add an extra layer of security. 

Top security headlines of the week 

Apple IDs are being targeted in a new SMS-based phishing scam. Security researchers say that adversaries are sending text messages to iPhone users in the U.S. disguised to look like they’re from Apple but actually intended to steal their Apple login credentials. The phishing messages are made to seem more legitimate with a fake CAPTCHA for users to complete. They are then directed to a malicious web page that looks like an older iCloud login page, where the targeted user is asked to enter their Apple ID. Apple IDs are valuable for attackers because they could allow them to log into the target’s iPhones and iPads, provide access to personal information, and allow the attacker to make unauthorized purchases. Apple warned users that they should be implementing MFA on their devices to ensure an adversary can’t use their credentials on an unknown device, or using Face ID or Touch ID to log into their devices. iPhone users are unlikely to ever receive text messages from Apple asking for their ID, but if they do, they should manually visit the desired website rather than clicking on a link in the message. (CBS News, Forbes) 

A newly discovered spyware may have been spying on military members across the Middle East for more than five years. The tool, called GuardZoo, appears to be created by Houthi-aligned actors in Yemen. GuardZoo is a custom Android surveillance tool that’s used to steal potentially valuable information and military intelligence, including documents, photos and data relating to troop locations. Infection of GuardZoo begins with a malicious link sent in a WhatsApp message. These phishing links lead to one of a variety of fake apps outside of the Google Play store, disguising themselves as a range of services including an app for reading the Quran, device location tracking, and other themes relating to the Yemen Armed Forces and Saudi Arabia’s Armed Forces Command and Staff College. GuardZoo managed to fly under the radar for several years because it was a modified version of the previously known Dendroid remote access trojan. Once on a device, GuardZoo immediately disables local logging and exfiltrates all of the victim’s files from the past seven years that are KMZ, WPT, RTE or TRK files, all of which relate to GPS and mapping apps. (Dark Reading, SC Media) 

The Australian government blamed a Chinese state-sponsored actor for being behind a series of cyber attacks and data breaches dating back to 2022. The group, known as APT40, is allegedly the perpetrator behind the theft of usernames and passwords from two unnamed Australian networks two years ago. A newly released report from the Australian Cyber Security Centre said APT40 conducts malicious cyber operations for China’s Ministry of State Security, the main agency in China in charge of foreign intelligence. The report says that the actor tries to steal sensitive information by infecting older, and sometimes even inactive, computers that are still connected to sensitive networks. Chinese authorities immediately denied the accusations. Intelligence agencies in Canada, New Zealand, the U.S. and the U.K. co-authored the report. New Zealand’s government previously accused APT40 of targeting its parliamentary services and counsel office in 2021 and stealing sensitive information. (NBC News, Voice of America) 

Can’t get enough Talos? 

• Upstream’s 2024 Global Automotive Cybersecurity Report (featuring contributions from Cisco Security)
• Hidden between the tags: Insights into spammers’ evasion techniques in HTML Smuggling 
• How do cryptocurrency drainer phishing scams work? 
• 15 vulnerabilities discovered in software development kit for wireless routers 
• Largest Patch Tuesday in 3 months includes 5 critical vulnerabilities 
• Cisco Talos details latest tactics employed by prolific ransomware groups 
• Ransomware Groups Prioritize Defense Evasion for Data Exfiltration 

Upcoming events where you can find Talos 

BlackHat USA (Aug. 3 – 8) 

Las Vegas, Nevada 

Defcon (Aug. 8 – 11) 

Las Vegas, Nevada 

BSides Krakow (Sept. 14)  

Krakow, Poland 

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991

SHA 256: 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202 
MD5: e4acf0e303e9f1371f029e013f902262 
Typical Filename: FileZilla_3.67.0_win64_sponsored2-setup.exe 
Claimed Product: FileZilla 
Detection Name: W32.Application.27hg.1201 

SHA 256: 8a366b1d30dd4d03ad8c5c18d0fb978d00d16f5f465bd59db6e09b034775c3ec 
MD5: 4fca837855b3bced7559889adb41c4b7 
Typical Filename: UIHost32.exe 
Claimed Product: McAfee WebAdvisor 
Detection Name: Trojan.Miner.ED 

SHA 256: a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0 
MD5: b4440eea7367c3fb04a89225df4022a6 
Typical Filename: Pdfixers.exe 
Claimed Product: Pdfixers 
Detection Name: W32.Superfluss:PUPgenPUP.27gq.1201 

SHA 256: 484c74d529eb1551fc2ddfe3c821a7a87113ce927cf22d79241030c2b4a4aa74
MD5: dc30cfd21bbb742c10e3621d5b506780
Typical Filename: KMS-R@1nHook.exe
Claimed Product: N/A
Detection Name: W32.File.MalParent