Cybercrime Rule #1: Machines Are Hard, People Are Soft

By Ian Trump, Security Lead, MAXfocus

MAXfocus’ Ian Trump wonders why the predicted open season on Windows Server 2003 machines has failed to materialize.

It’s 2016, and in July 2015 we had all kinds of warnings about the end of Windows Server 2003 (W2k3). However, despite the prognostications of folks such as myself, W2k3 has not gone out with a cybercrime bang. It’s interesting to me this unsupported operating system is still in service in great numbers. Despite weaknesses such as the recently disclosed help and support center vulnerability, which can only be mitigated if specific steps are followed, there has been nothing to indicate a targeted cybercrime attack on Windows 2003 has occurred or is even imminent. Certainly the trend lines we saw in the IT press showed a concerted effort to migrate the OS to something newer.

The question remains, why has a large-scale, automated attack not occurred? There could be a number of answers to this question, but I think the central argument may be this: Attacking old servers is not sexy — attacking specialized systems like POS end-points and IoT is far more interesting and ultimately financially rewarding.

Looking at the world-wide install base of our popular remote monitoring and management (RMM) tool we see slightly more than 290,000 servers of which just over 28,000 report as W2k3. This works out to about 10 percent of our install base, a number that continues to slowly decline as the servers are replaced (or eliminated). It makes sense from a cybercriminal perspective to concentrate efforts on exploiting the large and growing number of modern operating system servers. If a cybercriminal has the programming capabilities to write exploit code for an over-the-wire attack on a server OS.

Furthermore, I think it’s reasonable to suggest, in the heightened awareness of Internet risk from 2015’s massive breaches, that a concerted effort has taken place to move the data that is attractive to cybercrime away from vulnerable platforms. Although a W2k3 server may provide an ingress point for a targeted hack, it’s likely businesses have taken some steps to mitigate their exposure. Is it possible the “you don’t have to get rid of W2k3 server, but you do have to secure the data on it” messaging such as in this blog actually worked? Even the most clueless executive can understand that having a great deal of personal information or financial data on an unsupported operating system sounds like a bad idea.

Perhaps the “bad idea” messaging worked to a certain extent, but there may be an even simpler explanation, as well as some economics, at work around the lack of enthusiastic W2k3 server exploitation. For a start, over-the-wire remote code exploitation (RCE) hacking is harder (by far) than tricking unsuspecting users into opening a PDF, or clicking on a web link to pop an Adobe Flash exploit onto thousands of machines. Rule number 1 of cybercrime is it follows the path of least resistance — machines are hard, people are soft.

Although an over-the-wire RCE is cool and all ‘1337, there is not going to be as much income from coding an exploit for an operating system in decline that is also unsupported by the manufacturer. To be mercenary about building an over-the-wire RCE on a vendor-supported OS, you get two (possibly three) paydays:

1. From the cybercrime exploit kit authors who want your bug and are willing to pay large dollars for it
2. From the OS vendor as part of a bug bounty reward or program
3. There is also the possibility of a payday from government intelligence agencies, anxious to get their hands on something that may “come in handy.”

Rule number 2 of cybercrime is do the least amount of work for the most amount of money. Double or triple dipping is the norm.

In terms of credibility in the hacker world, busting open an operating system that is super old is not held in high esteem — pawning the latest and greatest is where it’s at in the underground and at all the Infosec conferences I’ve been to.

So, is the combination of the inherent laziness and ego inflating traits of the cybercriminal underground keeping exposed W2k3 servers “safe”? In part. However, I would suggest it is just a matter of time until we see an over-the-wire RCE on Windows Server 2012 OS which just also happens to work on W2k3. Then, as General Maximus says: At my signal, unleash hell.

Ian Trump is security lead at LOGICnow. You can follow Ian on Twitter at @phat_hobbit