FBI Warns of Serious Risks Posed by Using Windows 7Bureau Says Attackers Can Use Vulnerable RDP Connections to Access Networks
The FBI is warning organizations that are still using Microsoft Windows 7 they are in danger of attackers exploiting vulnerabilities in the unsupported operating system to gain network access.
In a private industry alert, the FBI notes that there’s been an uptick in hacking attempts targeting devices using Windows 7 since Microsoft ended support for the old operating system on Jan. 14 and stopped automatically issuing patches. Although those using Windows 7 can still purchase a security support package to obtain patches, the FBI and Microsoft are urging organizations to update to a more recent version of Windows instead (see: Windows 7: Microsoft Ceases Free Security Updates).
"The FBI has observed cybercriminals targeting computer network infrastructure after an operating system achieves end-of-life status,” the FBI alert notes. “Continuing to use Windows 7 within an enterprise may provide cybercriminals access into computer systems. As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered."
Windows 7 Still Popular
Despite the end to automatic updates from Microsoft, Windows 7 is still widely used at organizations around the world.
As of July, about 20% of all Windows-based devices still used Windows 7, according to Statcounter. Back in December 2019, NetMarketShare reported that Windows 7 remained the second most used operating system, following Windows 10, with one-third of all desktop and laptop PCs still running Windows 7.
"With fewer customers able to maintain a patched Windows 7 system after its end of life, cybercriminals will continue to view Windows 7 as a soft target," the FBI notes.
Leveraging RDP for Network Access
Hackers are likely to target devices using unpatched Windows 7 and then exploit vulnerabilities in Remote Desktop Protocol – a proprietary Microsoft communications protocol that allows system administrators and employees to connect to corporate networks from remote computers, the FBI says.
“Cybercriminals continue to find entry points into legacy Windows operating systems and leverage Remote Desktop Protocol exploits,” the alert states.
Since the COVID-19 pandemic led to a shift to a remote workforce, security firms, including ESET and Kaspersky, have noted a sharp increase in brute-force and other attacks looking to exploit unpatched RDP connections to gain a foothold into the larger network (see: Brute-Force Attacks Targeting RDP on the Rise).
"Cybercriminals often use misconfigured or improperly secured RDP access controls to conduct cyberattacks," the FBI notes. "The xDedic Marketplace, taken down by law enforcement in 2019, flourished by compromising RDP vulnerabilities around the world."
Unpatched RDP connections are vulnerable to a flaw dubbed BlueKeep, which Microsoft has been warning about since mid-2019. Exploits for this bug have been spotted in the wild (see: Microsoft Warns Users: Beware of Damaging BlueKeep Attacks).
And while the BlueKeep flaw has mainly been tied to hackers planting cryptominers, Microsoft and the FBI note the bug is also a wormable vulnerability. If exploited, an attacker could remotely access other vulnerable computers across an entire network and push malware across the entire infrastructure in much the same way the WannaCry ransomware spread in 2017 (see: DHS Is Latest to Warn of BlueKeep Vulnerability).
The FBI recommends that users who are unable to upgrade to newer versions of Windows or buy a support package for Windows 7 should take certain steps to enhance the security of devices still running Windows 7. Those include:
- Validate current software used within the larger network as well as access controls and network configurations;
- Ensure that properly configured firewalls, along with anti-virus and spam filters, are in use;
- Audit network configurations and isolate computer systems that cannot be updated;
- Audit networks using RDP, close unused RDP ports, apply two-factor authentication and log any RDP login attempts.
Britain's National Cyber Security Center has also released short-term recommendations for protecting organizations until they can transition to supported operating systems.