Getty Images/iStockphoto

FBI: Operating Windows 7 Increases Cyber Risk to Network Infrastructure

An industry alert from the FBI warns that network infrastructures still operating with Windows 7 platforms, after it reached end of life status in January 2020, are at an increased risk of cyberattack.

Organizations continuing to operate with Microsoft Windows 7 platforms on the network infrastructure are at an increased risk of cyberattack, according to a private industry notification from the FBI. 

Hackers are targeting the computer network infrastructure of organizations once the system achieves end of life status, FBI officials warned. Enterprises that continue to use these legacy platforms may inadvertently provide threat actors with access to the network. 

Microsoft ended support for Windows 7, Windows Server 2008, and 2008 R2 on January 14, which meant the platform would no longer receive regularly scheduled security updates. 

The tech giant offered an Extended Security Update (ESU) plan to its customers, allowing a “paid-per-device" option for Professional and Enterprise versions --  with the price increasing the longer a customer continues to use the option. However, that plan will expire in January 2023. 

For the FBI, the risk is particluarly great in healthcare. More than 50 percent of the sector relied on Windows 7, as of July 2019, according to Duo Security, while Forescout research found 70 percent of healthcare's IoT and medical devices operate on legacy platforms. The data is alarming, when combined with prolific patch management challenges across the sector. 

What’s worse, the FBI is aware of an increase in system compromises due to the continued use of unsupported platforms. For example, after the support of Windows XP ended on April 28, 2014, the healthcare sector reported a large increase in exposed records the following year. 

“As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered,” according to the FBI alert. “Microsoft and other industry professionals strongly recommend upgrading computer systems to actively supported operating systems.” 

While the FBI acknowledge that transitioning into a new platform can be challenging in of itself, the concerns don’t outweigh the risk to intellectual property and other cyber threats to an organization. 

Further, cybercriminals are continuing to actively scan and find entry points into legacy platforms, often leveraging exploits on the Remote Desktop Protocol (RDP). Microsoft issued a rare legacy patch for the RDP on Windows 2003, Windows 7, XP, and Server 2008 in May 2019, in an effort to prevent another global cyberattack like WannaCry. 

The CVE-2019-0708 vulnerability, referred to as BlueKeep, in the RDP or terminal services would give a hacker remote access to systems without authorization and allow an attacker to send tailored requests through the RDP, including a malware infection able to proliferate to all connected devices. 

The FBI warned of an increase in malicious RDP activity, including the development of a working commercial exploit for the BlueKeep flaw. And much like with WannaCry, cybercriminals will view unpatched Windows 7 systems as soft targets. 

The FBI urged organizations to employ a multilayer approach to their cyber defenses to defend against these types of attacks. Those efforts should include validating that the software used on access controls network configurations, and overall network are current. 

Computer systems must be upgraded to the latest supported version, while anti-virus, spam filters, and firewalls should be checked to determine if it is up to date, properly configured, and secured.  

Administrators should audit network configurations and isolate computer systems that can’t be updated, as well as systems using RDP. Unused RDP ports must be closed, and two-factor authentication must be applied when possible. RDP login attempts should also be logged. 

Lastly, healthcare organizations will need to first perform a complete inventory of all of the devices on a network. Security researchers have noted that often, healthcare providers are unaware of just how many devices are connected to the network. The process should be automated to ensure accuracy.

Next Steps

Dig Deeper on Cybersecurity strategies