The FBI warned organizations in the U.S. about security concerns associated with the use of the Windows 7 operating system after it reached its official end-of-life (EOL) earlier this year. In a Private Industry Notification (PIN), the FBI stated that enterprises running Windows 7 systems are vulnerable to getting hacked due to lack of security updates. The notification is intended to help security professionals and system administrators defend against the persistent malicious activities of cybercriminals.
Windows 7 End-of-Life Status
Microsoft ended the security updates and technical support for their Windows 7 OS on January 14, 2020. However, the company is providing Extended Security Update (ESU) services as an additional purchase per-device, which is available for Windows 7 Professional and Enterprise versions. Microsoft will only offer the ESU plan until January 2023.
The FBI stated that continuing to use Windows 7 may attract risks from cybercriminals exploiting the outdated systems and known/newly discovered vulnerabilities.
Microsoft and other industry professionals strongly recommend upgrading computer systems to an actively supported operating system. Migrating to a new operating system can pose its own unique challenges, such as cost for new hardware and software and updating existing custom software. However, these challenges do not outweigh the loss of intellectual property and threats to an organization
— the FBI said in the notification
Threats Associated with Windows 7 OS
The FBI also mentioned several Windows 7 vulnerabilities that have been exploited over the past few years, these include:
- As of May 2019, 71% of Windows devices used in health care organizations ran an operating system that became unsupported in January 2020. Increased compromises have been observed in the health care industry when an operating system has achieved end of life status. After the Windows XP end of life on 28 April 2014, the health care industry saw a large increase of exposed records the following year.
- Cybercriminals continue to find entry points into legacy Windows OS and leverage Remote Desktop Protocol (RDP) exploits. Microsoft released an emergency patch for its older operating systems, including Windows 7, after an information security researcher discovered the RDP vulnerability called BlueKeep in May 2019.
- Since the end of July 2019, malicious RDP activity has increased with the development of a working commercial exploit for the BlueKeep vulnerability. Cybercriminals often use misconfigured or improperly secured RDP access controls to conduct cyberattacks.
- In 2017, nearly 98% of systems infected with WannaCry employed Windows 7 based operating systems. After Microsoft released a patch in March 2017 for the computer exploit used by the WannaCry ransomware, many Windows 7 systems remained unpatched when the WannaCry attacks began in May 2017. With fewer customers able to maintain a patched Windows 7 system after its end of life, cybercriminals will continue to view Windows 7 as a soft target.
The FBI also recommended organizations to follow a multilayered approach to defend against cybercriminals, which include:
- Upgrading operating systems to the latest supported version.
- Ensuring anti-virus, spam filters, and firewalls are up to date, properly configured, and secure.
- Auditing network configurations and isolate computer systems that cannot be updated.
- Auditing your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts.