The Federal Bureau of Investigations (FBI) warned of the security risks that organizations face if they continue to use the Windows 7 operating system despite its end of life (EOL) status.
In a private industry notification published on August 3, the FBI explained that it had witnessed computer criminals exploiting operating systems that had achieved EOL status to infiltrate organizations’ networks.
The law enforcement agency went on to warn of these security risks in reference to Windows 7, an operating system which reached its end of life on January 14, 2020. As quoted in the notification:
As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered. Microsoft and other industry professionals strongly recommend upgrading computer systems to an actively supported operating system.
The FBI highlighted several specific threats involving Windows 7 to spur organizations into action. For instance, it referenced the discovery that 98% of the computers infected in the 2017 WannaCry outbreak had been running an unpatched version of Windows 7.
#WannaCry infection distribution by the Windows version. Worst hit – Windows 7 x64. The Windows XP count is insignificant. pic.twitter.com/5GhORWPQij
— Costin Raiu (@craiu) May 19, 2017
The FBI reasoned that digital criminals would likely continue to treat the operating system as a “soft target” now that fewer users could maintain a patched device running Windows 7.
Additionally, the FBI noted that malicious actors had weaponized a vulnerability called “BlueKeep” in the summer of 2019 to abuse organizations’ misconfigured or improperly secured Remote Desktop Protocol (RDP) access controls in an effort to infiltrate organizations’ networks. That vulnerability affected older Microsoft operating systems including Windows 7 at the time of discovery .
Given the threats described above, the FBI recommended that organizations upgrade their operating operating systems to their latest versions, ensure that their security solutions are up to date and audit their network configurations.
News of this private industry notification arrived more than seven months after the Government Communications Headquarters (GCHQ) began urging people to no longer use computers with Windows 7 installed for banking or email.