The digital transformation makes the task of reducing the attack surface more difficult, given the exponential growth of users, devices, systems, and third-party applications that need to be updated. And as a consequence, the range of possible cyber-threats is considerably larger. The costs that these attacks suppose for businesses and users also add to the problem: it is estimated that by 2021 the cost of cyber-crime will reach $6 trillion.
But to profit and make money, costly cyber-attacks of late have been made possible thanks to unpatched vulnerabilities (loopholes) in organizations’ IT systems.
Scope of the Study
Microsoft has passed on warning notifications to users of Windows 7 since December last year that for the 10 years, support for Windows 7 will be coming to an end on January 14, 2020. “We know change can be difficult, so we are here to help you with recommendations for what to do next and to answer questions about the end of support.”
Users will be able to run Windows 7 after the set date when Microsoft will stop supporting it, but as a result of this, users will be more susceptible to potential security threats and the attack field or target field will be broad because it will cover all users that will have not upgraded to other windows versions like 8 and 10. To hammer that point home, Microsoft is planning to deliver a new pop-up notification to users still running Windows 7 to make it clear that “Your Windows 7 PC is out of support.” on January 15, 2020.
Microsoft is delivering this new nag notification to Windows 7 users by making it part of a patch roll-up. The coming notification is embedded in monthly rollup KB4530734, which Microsoft made available to Windows 7 SP1 users on December 10 as part of its Patch Tuesday set of updates. This patch is designed to configure Windows 7 PCs that receive it so they will display the January 15 notification starting on that date. Said Microsoft officials
The January 15 full-screen warning will tell users that their PCs are more vulnerable to viruses and malware due to no security updates, no software updates, and no tech support. It will say that “Microsoft strongly recommends using Windows 10 on a new PC for the latest security features and protection against malicious software.”
Those who see the full-screen warning will have three options: Remind me later; Learn more or Don’t remind me again. If users don’t click on the “Don’t remind me again” button and just dismiss the screen, they will continue to get nag warnings.
Microsoft will continue to provide security updates for Windows 7 for up to three years to business users who purchase Extended Security Updates for each of their PCs running the OS. It also will provide Windows 7 security updates for no additional charge for three years to users who purchase Windows Virtual Desktop. Office 365 ProPlus will continue to work on devices with Windows 7 Extended Security Updates through January 2023, Microsoft officials said so.
Google announced that it will continue to support its Chrome browser on Windows 7 until at least July 2021. Microsoft officials will also clearly bring out the period they will continue to support the new Chromium-based Edge browser on Windows 7.
What to worry about?
Any data owners would mind less if they are safe. Safety means guaranteeing that there exist no risks of intolerable losses. The ability of an organization to ensure that the state of their environment is OK, to detect and identify new threats, to adopt new ways and organizational attributes on how to protect itself, contributes to its resilience.
Some of the deadliest vulnerabilities ever that have cost companies billions of money globally have been assessed. The vulnerabilities and impact they’ve caused to the company IT systems where they existed.
This vulnerability was developed by the U.S. National Security Agency (NSA) and affects the Microsoft Server Message Block (SMB). It came to light on May 12, 2017, when the hacking group the Shadow Brokers revealed that the NSA was collecting vulnerabilities of this kind. The list of attacks that have been as a result of this vulnerability covers extensive coverage.
The most famous use was WannaCry, which affected over 300,000 companies globally, and this cost a total of around $4 billion. The malware NotPetya, which came to light just a month later, was able to get onto systems thanks to this vulnerability, stealing passwords to take control of the network that is accessed.
And we’re not just talking about ransomware: shortly after the WannaCry attacks, we started to see a piece of malware called Adylkuzz, which used EternalBlue to download a series of commands onto infected computers. These commands were then used to mine and extract cryptocurrencies.
Future of cyber-threat-trend after windows 7 not being supported
The once existed WannaCry that once took place as a result of Windows XP users failing to patch their systems after a one month release of the patch to the vulnerability by Microsoft and which prompted Activists to make use of the EternalBlue vulnerability that existed in this windows version, may happen once again after Microsoft stops supporting Windows 7.
Government parastatals are in great danger if they don’t pay attention to this notice. Hackers have discovered that governments are much more willing to pay up Ransoms because they hold more sensitive data and inherently have deeper and better pockets. This has been exercised on many government offices that have fallen victim to such attacks.
Initially attacks spiked many organizations and individuals the previous year, with so many state and local governments hit with ransomware. The malware has also hit hospitals, businesses, and universities, but governments have become a prime target.
An enterprise malware removal specialist for security software provider Malwarebytes Kevin Latimore said,
“These government organizations are not always well-equipped on cybersecurity concerns, which makes them easy targets,” and added that, “Not only do they have potential to pay, but they are a soft target.”
Local governments are also more frequently opting to pay the ransomware rather than rebuild their systems. After seeing Atlanta spend $2.6 million to restore its systems rather than pay the $52,000 ransom, many officials have decided that it’s cheaper to pay the hackers. Such payments have convinced hackers to target more governments and ramp up their demands, according to security experts.
To bring this to light, more of these attacks will be in a way boosted if hackers are added an extra field to operate from, government officials should embrace so much a cyber-resilient culture since they have proved to be the best meat to taste for the threat actors. If government parastatals continue to pay ransoms, though, experts have warned them, ransomware will continue to grow in 2020.
This is another vulnerability that shared part of the code used in the NotPetya attack. This is also developed by the NSA and also in SMB and is referred to as EternalRomance. The attack mainly affected users in Eastern Europe and Russia.
At the start of the year 2018, the Winter Olympics in Pyeongchang experienced a cyberattack. During the opening ceremony, attackers interfered with the Internet connection, the website of the games, and television services. To carry this out, those behind the attack made use of EternalRomance.
How to avoid these attacks?
The answer is simple: there is an alternative to upgrading to the latest Windows systems versions where these vulnerabilities are patched before hackers take advantage of the situation.
Many organizations do not know how to apply right patches and fail to prioritize which patches to apply first, or don’t have patching policies, which still pauses a threat that vulnerabilities of this kind may go unnoticed. What’s more, EternalBlue is still threatening unpatched systems
It is also noticed that the majority of cyber-attacks and exploits take advantage of outdated systems and third-party application software, exploiting known vulnerabilities. Vulnerabilities that have an update available for a week, or even months before the breach.
With such warnings that Microsoft is endeavoring to make to Windows 7 users, it’s sad to say that the majority may take this notice as a by the way and refuse to upgrade and this will create a great impact on cybersecurity among users in a dire state. It has been noted that in the past few years, attacker knowledge to utilize such opportunities of user ignorance has increased while user/victim’s knowledge still shallows in the fourth industrial revolution. Unless aggressive security norms are employed to bridge that gap, cybercrime is most likely to increase.