The US Federal Bureau of Investigation (FBI) has published a Private Industry Notification (PIN) warning private enterprises of increased security risks for their networks due to devices still running Windows 7 despite it reaching end of life earlier this year.
"The FBI has observed cyber criminals targeting computer network infrastructure after an operating system achieves end of life status. Continuing to use Windows 7 within an enterprise may provide cyber criminals access into computer systems," the agency said in its advisory [pdf].
The FBI notes that as the time passes, Windows 7 will become more vulnerable to attacks due to lack of security updates from the vendor and because of new bugs found in the OS.
While the agency acknowledged that migrating to a new OS can pose unique challenges, such as cost for new software and hardware, it said that such challenges cannot outweigh the losses occurring to an enterprise as a result of cyber attack.
The FBI said that an actively supported OS automatically receives security updates from vendors and therefore provide the best way to mitigate the risks arising due to newly discovered security bugs.
Windows 7 reached end of support on 14 January 2020, and it no longer receives free software and security updates from Microsoft unless customers purchase an Extended Security Update (ESU) subscription from the company. The subscription enables Windows 7 users to receive security updates and fixes from Microsoft for an additional three years.
FBI's advisory talks about an open source report that suggested that 71 per cent of Windows devices used in healthcare organisations as of May 2019 ran an unsupported OS. Researchers have observed hackers launch more attacks against healthcare firms after an OS reaches end of life status. After the Windows XP reached end of life in 2014, an immense increase in the number of exposed records from the healthcare industry was seen in 2015.
Cloud computing firm Citrix also said in December last year that NHS Trusts were using more than 200,000 devices running Window 7 OS.
Citrix issued information request to 98 NHS Trusts across the UK, of which 77 responded. Seventy-eight per cent of NHS organisations said they were working migrating their systems to Windows 10 within six months, while another six per cent of Trusts said that they were considering migrating to Windows 10 in the near future.
The bug could enable an attacker to create or delete files, intercept information and otherwise compromise the system
The warning comes in the midst of rising tensions between the USA and China
The bug could allow unauthenticated attackers to steal sensitive information from vulnerable devices
The first reports of VHD ransomware had appeared in March this year
Chinese app seen as a potential security risk