Unfortunately, in today’s world, it is not just Vladimir Putin running Windows XP. Many continue to run the risk of keeping legacy systems within their production environment. I imagine for most; this has run through some sort of internal process where the risk has been accepted. If you yourself work within IT, it would be all too familiar to have heard about these “acceptable risks”.
So why do we accept them?
From what I have seen and from speaking to others is that the frustration comes when the risk is deemed isolated or “contained”. The reason it’s accepted is often because it’s too critical to the business and some level of additional security measures, including policies have been created to dampen/control the risk. The problem is, no matter what you do, the only way to truly mitigate the risk of legacy systems is to chuck them in the bin. Written policies only apply to those that listen and controls are only as strong as the admins want them to be.
For those reading and shouting, “well what about health care systems or machinery?”, I do understand. In some cases, such as the health care industry, vendors have made it near impossible for Hospitals to secure these systems. This goes the same for factories as there is often have no money to invest in them and their fate is left in the hands of their suppliers. If supplier X only ships their product running legacy operating systems and these systems/machinery are deemed the best, they will obviously be purchased. This discussion could go on however, and from I have seen, there is a lot of interest/movement now to force suppliers/vendors to up their game in these industries, especially when it comes to health care.
After WannaCry, there continuous to be focus on securing our national health care. Rightly so, as if another war did break out, cyber will be on the front line (corny line). Crippling the opponent health care would probably be on the attackers list, but maybe I’ve just played to many games.
Back to the myth of isolated risks……. A chink in the armour doesn’t threaten the armour, it threatens the person wearing it. If exploited (pierced), It’s not the armour that dies, it’s them. Flipping that back to the real world; The XP machine sitting on the network, threatens the rest of the environment, not just the application it’s running.
Below may be sentences you’ve heard, around this topic.
“The attack would have to know about it”
Often if it is on the network, it can be found. Scanning the network using tools such as Nmap will quickly highlight them. If RDP is open, an attack would most likely probe anyway. Once they do, they will be present with this screen due to the legacy method of remote desktop. This somewhat gives the game away.
If its domain joined, it most certainly can. Active Directory will give the game away as an attack can run this simple Powershell to query AD for it.
Import-Module ActiveDirectory ; Get-ADComputer -Server [Domain or DC] -Filter {OperatingSystem -like “*XP*”}
AD will then return any systems it is aware of running Windows XP. Documentation is also a weak point. Legacy systems are often kept because they are deemed critical. Because of this, there is often a lot of red tape, so plenty to document….
“You can’t access it”
This is always a lie as the business itself needs to way of accessing it, else it would be pointless keeping it. Often the management ports are concealed or blocked, however an attacker doesn’t need to land on the box to exploit it. Gaining a shell by abusing Eternal blue or passing a NULL session on $IPC, can do a lot for an attacker. The shell being the most concern as if they can run tools such as Mimikatz to harvest credentials. Worst still, if they are domain credentials, they can be used for lateral movement.
“It’s in an isolated network”
From reading recent Ransomware victims, it is always the case that in the post-mortem, the business mention how segmentation of the network was in place. Although this may be true, to save cost, I guarantee that more than one system sat on that subnet. It’s human nature. We isolate the network for critical system, however, that subnet then becomes a gold mind as all the important systems sit on it. Basically, like how we use a home safe. We don’t buy multiple safes to spread the risk. Instead we buy one, and shove all our most treasured items in there for safe keeping. This to a thief becomes a target as it screams…..TREASURE! Not to similar to an attacker on the network, the thief wanting to access the safe, will know that there MUST be a way in, as how else would the actual user use it.
“We turn it off”
This is in fact a really good control; however, it can be turned on. The risk here is measured by who can turn these systems back on and who knows about it once it’s booted. Humans have the ability to forget, so unless there is a timer, or auto shutdown, there is a chance it could be forgotten or left on.
“It’s limited to certain users”
This again is a key control however what else can those users access? As highlighted above, if these credentials can be used elsewhere, then the risk increases. An attacker may not be able to harvest credentials via Phishing or on a 2016 box running AV, but they might on an unprotect XP machine.
“No one hacks legacy systems anymore”
Although this is “slightly” true, it’s wrong. Sure, more exploits now are for more up-to-date operating systems, and technology however, there is still a large market for legacy systems. The flip to this is that they simply do not have to. These legacy systems have long been patched and in support, so often remain vulnerable to past exploits. Most antivirus or big vendors have also thrown their hands in the air when it comes to supporting these systems, so they are often vulnerable or unprotected. This means that often there is no need to come up with a zero day, as known exploits have a high percentage of working. A business running an unsupported critical system, could be prone to also skip patching due to fear of the machine breaking…
These are just some of the examples to show that risk is not so isolated. If an attacker spots these on the network, they could become an attackers home. They would know that these systems often are not in support of the businesses current security stack so could be unpatched, unprotected, and unmonitored. This makes a perfect place to scout out the rest of the network or to simply do damage to a machine seeing as they know it’s critical to business, as why else would they keep it?
Hopefully, this has helped change a few minds when reviewing risks like this. These systems often have no end date in sight, as the developer has moved on or there are simply no replacements. That being said, it’s important to view the risk for what it is; not isolated, but as a whole.
Ohh and one more thing….. Please don’t put them on the Internet. I’m sure a large number of these could be honey pots, but this seems too high:
amoran.io 
Leave a Reply