In late 2023, Microsoft Windows Server 2012 and 2012 R2 reached their end of life. Microsoft is ending free updates, bug fixes, and technical support to an operating system still used in hundreds of thousands of enterprise servers.
Microsoft allows customers to purchase Extended Security Updates (ESUs) until 2026. However, their core recommendation for Windows 2012 users is to migrate to the cloud with Azure or upgrade their on-prem servers to Windows Server 2022.
As we've covered in a previous blog post about legacy risks, business-critical servers are often either too operationally critical or create so many dependencies that upgrading or migrating them is effectively impossible.
The Windows 2012 end of support is no surprise. Microsoft follows a well-established product lifecycle and notifies of OS sunsetting years in advance. If an organization has not upgraded its Windows 2012 servers by now, it's likely not going to do so in the near future, either. So, what can they do instead?
Windows legacy servers are a growing source of risk.
Available market share data puts the percentage of servers running on an out-of-support Windows operating system (such as Windows 2008, 2008r2, 2012, and 2012 r2), at around 10 percent of all servers in use today.
There are hundreds of thousands of Windows legacy servers currently supporting critical functions - all of which have exploitable vulnerabilities. At the time of writing, Microsoft has published 759 common vulnerabilities and exposures (CVEs) so far this year; in 2023, 1,228 vulnerabilities were reported.
Recent data indicates that unsupported Microsoft systems and servers—including Windows 7, Windows 8, Windows Server 2008, and Windows Server 2012—are impacted by thousands of Common Vulnerabilities and Exposures (CVEs).
Here’s a rough breakdown:
Many of these CVEs affect core services like Remote Desktop Protocol (RDP), SMB (Server Message Block), and other networking services, making them highly attractive to attackers. The threat is particularly severe because many of these older systems no longer receive patches or updates to mitigate newly discovered vulnerabilities.
The number of CVEs impacting unsupported systems will continue to grow as new vulnerabilities discovered in supported versions are often found in legacy versions as well, even though they are no longer patched. This makes these systems a significant security liability.
If you work in a manufacturing business, healthcare organization, financial institution, or any company that uses OT, your organization likely relies on servers powered by one or more of these legacy systems.
The risks legacy systems create are well known (we've written about how to protect Windows 7, 8, 8.1, and Windows Server 2008 R2). Still, it's worth noting that Windows 2012 adds over two and a half thousand known vulnerabilities (of which over 100 have been exploited) to the legacy risk register.
Experience from past operating sunsets shows that exploit developers comb legacy codebases for exploitable bugs long after developers stop doing the same thing. Threat actors continue to scan and find exploitable legacy vulnerabilities in their target environments.
Proof of this: in recent months Morphisec has prevented over 600 high-priority security incidents, compromising of over 40 distinct malware families on our client's Windows Legacy OS endpoints alone.
|
Attack Prevented |
Description |
Operating System |
|
Cobaltstrike Backdoor |
Cobaltstrike is a modular backdoor which frequently leads to domain propagation and exploitation to deploy attacks such as Ransomware and IP Theft. |
Windows 7 Windows Server 2008 Windows Server 2012 |
|
Metasploit Framework |
Metasploit framework is a very powerful tool which can be used by cybercriminals as well as ethical hackers to probe systematic vulnerabilities on networks and servers. |
Windows 7 Windows 8 Windows Server 2012 |
|
Gamarue Malware |
Gamarue is a malware family that downloads files to enable information theft from infected systems. Gamarue family worm variants can contaminate USB drives or portable hard drives that were connected to an infected system. |
Windows 7 |
|
Log4Shell Exploitation |
Exploitation of Log4Shell in Ubiquiti Unifi application. |
Windows Server 2012 |
|
Mimikatz Password Theft |
Mimikatz is a program that provides a set of tools for collecting and using Windows credentials on target systems. |
Windows 7 Windows Server 2012 |
|
ProxyShellMiner |
ProxyShellMiner is an advanced group of hackers that utilize ProxyShell exploits to spread a crypto miner. |
Windows 7 Windows Server 2008 Windows Server 2012 |
|
Squiblydoo Remote Code Execution |
Whitelisting bypass through regsvr32 and scrobj.dll - allows remote code execution. |
Windows 7 Windows Server 2008 Windows Server 2012 |
Source: Morphisec Threat Data
Legacy Windows OSs often feature in ransomware attack chains. Modern ransomware threat groups target legacy OSs to establish persistence and propagate attacks.
One of the most common Windows legacy server attacks that Morphisec stops on legacy servers involves Cobalt Strike. This modular backdoor tool was developed for pen testing but is now exploited by threat actors using cracked versions. Cobalt Strike often leads to domain propagation and exploitation as part of an attack chain that results in ransomware deployment and IP theft.
Critically, Cobalt Strike targets an endpoint's runtime memory. This makes it a particularly dangerous threat for servers running Windows Legacy OSs such as Server 2012, which are at an increased risk of exposure to fileless malware and threats exploiting runtime memory. Legacy systems, lacking modern defenses, are more susceptible to these runtime-based attacks.
With such a high-risk profile, end of life Windows servers demand protection from ransomware and other threats. Without vendor support, devices running EOL and non-supported operating systems become a continuous source of exploitable vulnerabilities. Threat actors can also work back from vulnerabilities found in current OS versions to find new ways of compromising older machines. But more attackers wait for a patch to be released to develop N-day exploits.
Due to the iterative nature of OS development, exploitable vulnerabilities that vendors discover and patch in newer versions of Windows OS systems are sometimes found in older versions—where they will never be officially fixed. EOL support puts many more devices into this "never going to be replaced or patched" category.
Since legacy servers often host business-critical processes, and due to their increased exposure, they must be protected by state-of-the-art endpoint protection solutions. Unfortunately, the Endpoint Detection and Response (EDR) technology you might use to protect other parts of your network is not fit for this task.
There are several reasons for the mismatch between EDR and Windows legacy servers.
On a more fundamental level, legacy systems are not an environment that EDRs are optimized for. Although you can install EDR agents on legacy servers, the techniques the EDR systems rely on for detection are optimized or designed for the current OS in use. Therefore the effectiveness of EDRs on legacy OS is curtailed, giving adversaries easier methods to evade EDRs and create points of persistence.
Older legacy systems (i.e., anything running Windows 7 and 2008 R2) will only have a limited version of the Event Tracing for Windows (ETW). This means that an installed EDR won't be able to get as much real-time information as it would on a modern system. The result is less visibility and a lower detection rate for advanced thetas.
Any server running an OS older than Windows Server 2016 will also not have Microsoft's Anti-Malware Scanning Interface (AMSI). All modern EDRs use this technology to spot obfuscated and packed scripts, evasive macros, and most "living off the land" techniques.
|
Security Capability |
Windows Server 2008 R2 |
Windows Server 2012 R2 |
Windows Server 2016 and above |
|
Shielded Virtual Machines |
|
|
|
|
Host Guardian Service: |
|
|
|
|
Anti-Malware Scanning Interface (AMSI) |
|
|
|
|
Event Tracing Windows (ETW) |
|
|
|
|
Just Enough Administration (JEA) |
|
|
|
|
Just-in-Time Administration (JIT) |
|
|
|
|
Credential Guard |
|
|
|
|
Remote Credential Guard |
|
|
|
|
Device Guard |
|
|
|
|
AppLocker |
|
|
|
|
Windows Defender |
|
|
|
|
Control Flow Guard |
|
|
|
|
Generation 2 virtual machines: |
|
|
|
|
Enhanced auditing for threat detection |
|
|
|
|
Dynamic Access Control |
|
|
|
|
Windows Firewall with Advanced Security |
|
|
|
|
BitLocker |
|
|
|
|
Small-footprint Hyper-V host (Server Core) |
|
|
|
Source: Microsoft
Legend: Not Supported
If upgrading to Windows Server 2022 or migrating to the cloud via Azure is off the table, there are still a few viable strategies to manage legacy security risks:
As any cybersecurity practitioner knows, securing legacy systems is a daunting challenge. Because they lack power compared to current systems, legacy systems need a lightweight security solution.
They also need something that’s compatible with their software—both factors that rule out most of today’s industry-leading security solutions such as EPP, EDR, and XDR/MDR. (Legacy systems lack basic mechanisms used by EDRs such as script scanning through AMSI.)
Adaptive Exposure Management (AEM) is a component of Morphisec’s Anti-Ransomware Assurance Suite. AEM represents the future of exposure management by introducing a dynamic and proactive strategy. Powered by AMTD, it continually adapts to an organization’s evolving attack surface, anticipating changes and vulnerabilities across the organization’s digital infrastructure.
Next-gen vulnerability prioritization offers continuous, risk-driven remediation recommendations tailored to your business context, streamlining patch management efforts.