Water system hack reveals thousands of organizations vulnerable to Window 7 exposure

The cyberattack earlier this month on Oldsmar, Florida water treatment facility has reopened a debate over the use of the unsupported Windows 7 operating systems at thousands of small- and medium-sized firms, organizations and critical infrastructure providers. Continued use puts organizations at risk, experts say.

"In the world we live in now, a fully up-to-date Windows operating system is an absolute must," John Hammond, senior security researcher at Huntress said. "Leaving an outdated, unsupported and overall dead technology running in production, isn't 'like leaving the door open' — it's like there is no door at all."

The actors, who have not yet been identified, attempted to poison the water supply of the small Florida city by hacking into the water treatment facility and increasing the amount of sodium hydroxide — also known as lye — during the water treatment process. The change, if missed, would have threatened the health of residents.

"Leaving an outdated, unsupported and overall dead technology running in production, isn't 'like leaving the door open' — it's like there is no door at all."

John Hammond

Huntress senior security researcher

Federal and local officials said the attackers may have used a desktop sharing application called TeamViewer and exploited weak password hygiene. The actors also exploited the operator's use of the outdated Windows 7 system to bypass built-in security barriers and take control of the system.

"Continuing to use any operating system within an enterprise beyond the end-of-life status may provide cyber criminals access into computer systems," according to a joint advisory from the FBI, the Cybersecurity and Infrastructure Security Agency, the Environmental Protection Agency and the Multi-State Information Sharing and Analysis Center.

Oldsmar city officials declined to comment at the request of the Pinellas County Sheriff's office, citing an ongoing investigation into the incident.

Malicious activity using Remote Desktop Protocol in Windows 7 systems has increased since July 2019, allowing attackers to conduct attacks through misconfigured or improperly secured RDP access controls, according to the advisory.

In 2019, federal authorities took down an operation called the xDedic Marketplace, which sold credentials to compromised computer systems that were used to attack hospitals, call centers, 911 systems, law firms, accounting firms and major urban transit authorities.

Sen. Mark Warner, D-VA, co-chair of the Senate Cybersecurity Caucus, wrote to the FBI and EPA demanding updates on the criminal investigation and a compliance review of the water treatment facility.

Post-expiration Windows 7 use

The use of outdated Windows software is widespread, particularly among small- to medium-sized enterprises and other organizations, even after Microsoft ended support in January 2020.

By some estimates about 200 million computers still run on the Windows 7 operating system, according to Mike Puglia, chief strategy officer at Kaseya. All Windows 7 machines that are connected to the internet are at risk and even offline machines where employees share files create a level of risk.

"Without Microsoft support and security patches, all Windows 7 systems are defenseless against aggressive hackers looking for the next easy opportunity," he said. "The longer businesses run Windows 7 devices, the more time cybercriminals have to find and exploit vulnerabilities."

Companies running devices without regular updates also put systems at risk for sluggish performance and poor functionality, he said. Organizations running outdated systems can fall out of compliance with regulations like HIPAA and Europe's General Data Protection Regulation.

"Without Microsoft support and security patches, all Windows 7 systems are defenseless against aggressive hackers looking for the next easy opportunity."

Mike Puglia

Kaseya chief strategy officer

Microsoft services Windows 7/Server 2007 R2 under its Extended Security Update (ESU) program and also supports Windows 7 for customers that have Windows Virtual Desktop, according to the company. ESU end dates for enterprise versions of Windows 7 are January 2023.

Microsoft considers the ESU program a last resort for customers that need to run certain legacy products beyond the expiration of official support. The program provides critical and/or important security updates for three years beyond the end of extended support.

"In critical infrastructure environments, any changes can introduce risk to operations, so culturally asset operators are averse to updates — even security patches," Grant Geyer, chief product officer of Claroty, a firm that specializes in industrial cybersecurity. "On top of this, critical infrastructure operations teams are often less cyber savvy than IT teams, and may not be aware of the cyber risks that obsolete tech pose to employee or public safety. Putting those factors together leads to serious cyber safety risks that are a dangerous undertow in critical infrastructure."

Critical infrastructure systems have historically been air gapped from IT environments, giving the illusion of safety from cyberattacks, according to Geyer.