Workload and Application Security Blog

FBI Warns Orgs Still Using Windows 7 Are at High Risk

Written by Virsec | Aug 7, 2020 11:51:37 PM

Companies beware: The FBI warns running Windows 7 systems without security updates is high hacking risk

A favored OS by many, the End of Life (EOL) announcement for Windows 7 last January was not welcome news. It gave organizations continuing use of the OS a new big thing to worry about. As always, EOL meant all security updates and fixes for Windows 7 would cease.

While a number of companies have already upgraded to Windows 10, millions have not. The millions of machines operating on Windows 7 are why the FBI issued its Private Industry Notification (PIN) warning. The PIN gives a very clear danger signal that continuing use of Windows 7 opens the door wide for attacks.

The Bureau said:

"The FBI has observed cyber criminals targeting computer network infrastructure after an operating system achieves end of life status.

"Continuing to use Windows 7 within an enterprise may provide cyber criminals access in to computer systems. As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered. 

Their warning continued:

"With fewer customers able to maintain a patched Windows 7 system after its end of life, cyber criminals will continue to view Windows 7 as a soft target."

The Warning Comes With a Strong Push to Act

PCs, servers, workstations running Windows 7 all need a newer version of Windows OS to be on safer turf. Microsoft is currently allowing users to upgrade to Windows 10 for free, despite the offer officially ending 4 years ago.

However, organizations have reasons for not upgrading their software. One example is their hardware isn’t compatible with newer versions. The cost of replacing hardware poses high costs orgs would prefer to sidestep.

The FBI countered this concern with:

"However, these [hardware] challenges do not outweigh the loss of intellectual property and threats to an organization.”

The cost of not upgrading and a subsequent breach would in fact far exceed the cost of upgrading. Yet those with constrained budgets or other reasons still opt to take the risk.

If Windows XP is any indication, the warning is not just hype. After Windows XP was EOL’d in Spring of 2014, breaches increased in 2015. Some industries are more at risk than others and healthcare falls into high risk. The healthcare industry is known to be running outdated software on the majority of devices. (See our article As the US Fights COVID-19, 83% of Medical Devices Have Outdated Software & Scams Are Soaring)

Windows 7 Threats Already in Play & the Playing Field Is Large

Windows 7 has been around a long time, which means hackers have already discovered weaknesses and perfected exploitative moves. The most infamous exploit to date is EternalBlue, most known as the weapon in the WannaCry attack in May 2017. EternalBlue remains a frequent weapon of choice today, utilized in ransomware and cryptomining attacks. In the WannaCry attack, 98% of victims were using Windows 7 absent the necessary patch.

Attackers also used the BlueKeep worm against a Zero-Day vulnerability in 2019. They hacked into devices running Windows 7 with enabled RDP endpoints. Microsoft made a patch available for both WannaCry and BlueKeep but many companies never applied them. This includes hospitals, manufacturers, schools, city and government offices. All of these industries have suffered surges of attacks.

That trend is poised to continue for Windows 7 users now that new vulnerabilities will not be patched. In the rare event of an extreme attack, Microsoft could release an emergency patch as it did for NotPetya in 2017. But that’s a long shot exception and companies should expect that they are on their own. No security updates will be forthcoming.

This is good news for would-be hackers. They not only have means but opportunity with a large playing field - Windows 7 users represent 20 percent of OS users. It’s also common for new exploits to be made publicly available among attackers.

So Why Doesn’t Everybody Simply Upgrade Already?

Upgrading is not easy for a lot of organizations. Likely all who could do so without ramifications have already done so.

Satya Gupta, co-founder and CTO of Virsec, recently told TechRepublic, “Microsoft has been trying to wean businesses off of Windows 7 for a while but the problem many organizations face is that upgrading, or even routine patching, is usually more difficult and disruptive than vendors like to admit.”

As noted above, companies face high costs at the prospect of upgrading hundreds or thousands of machines. Windows 7 could be integral to their entire infrastructure, including other software applications. Changing the OS would break other components and bring unacceptable side effects.

Mr. Gupta said many of these enterprises may have legacy applications that are also used well past their intended lifecycles—often requiring specific OS environments, even if those are out of date.

"If you try to force businesses to retire legacy apps, there will always be stragglers—thousands of them—that open easy entry points for attackers. We have to shift to a security model that recognizes that in the real world, legacy operating systems and apps will live on for years, and they need to be protected as is—without requiring painful upgrades to maintain basic security," Gupta said.

Companies are finding themselves weighing the high cost of upgrades versus risking a data breach while using vulnerable software. Some organizations may have to consider isolating their Windows 7 devices, which also may not be a practical option. 

Out of Options? Virsec’s Virtual Patching Protects Your Windows 7 Systems

Everyone remaining on Windows 7 will have no choice but to remain perpetually out of date. And, for reasons noted above, plenty of companies running on current software choose not to apply the latest patches. Meanwhile, attackers will continue to develop more exploits so the situation will worsen over time.

Another option is needed.

Patching never has been and never can be the security panacea we wish it could be. By definition, it’s slow and reactive. It’s also impossible to anticipate and prepare for the infinite amount of unknown and future threats. Virsec’s virtual patching approach accepts that many applications won’t be patched. They are running without the latest security updates and need to be protected as is.

Hackers are abundantly creative in their exploits and security solutions must shift to a new mindset as well.

Virsec’s virtual patching approach would have protected companies from WannaCry, ransomware and threats like these. Virsec is able to protect Windows 7 users by securing from the inside out, from inside applications as they are running.

Learn more in our paper Making Applications Truly Self Defending and from the resources below

Further resources:

Making Applications Truly Self Defending

Patching the Iron Tail Is Easier Said Than Done

Microsoft ‘Bluekeep’ Flaw Threatens Medical Devices, IoT

EternalBlue reaching new heights since WannaCry outbreak

Protecting server endpoints against WannaCry

As the US Fights COVID-19, 83% of Medical Devices Have Outdated Software & Scams Are Soaring

Lucifer Malware Hits Unpatched Windows Systems with Cryptomining, DDoS Attacks

Say Goodbye to Windows Server 2008 – and Hello to Azure?

When Older Windows Systems Won’t Die

Healthcare Orgs Suffering High Ratio & Rising Threats from Ransomware, Phishing Attacks

 

 

Sources:

https://www.techrepublic.com/article/fbi-announcement-on-windows-7-end-of-life-prompts-worry-from-security-experts/

https://www.techradar.com/news/windows-7-end-of-life-everything-you-need-to-know-about-the-death-of-windows-7

https://www.techrepublic.com/article/fbi-announcement-on-windows-7-end-of-life-prompts-worry-from-security-experts/