US Sen. Ron Wyden asked the Federal Trade Commission to investigate Microsoft and hold it accountable for what is called “gross cybersecurity negligence” that allowed ransomware attacks on critical U.S. infrastructure, including healthcare networks.
“Without timely action, Microsoft’s culture of negligence cybersecurity, coupled with the virtual monopoly of the enterprise operating systems market, poses a serious national security threat and makes additional hacking inevitable,” Wyden wrote a four-page letter to FTC Chairman Andrew Ferguson, selling Redmonds to sell Alanists to “victims.”
The development comes after Wyden’s office retrieved new information from the healthcare system’s ascension last year, resulting in the theft of personal and medical information related to nearly 5.6 million individuals.
The ransomware attack, which also disrupted access to electronic health records, was attributed to a ransomware group known as Black Busta. The violation ranks as the third largest healthcare-related incident of the past year, according to the U.S. Department of Health and Human Services.
According to the Senator’s office, a violation occurred when a contractor clicked a malicious link after conducting a web search on Microsoft’s Bing search engine, causing the system to be infected with malware. The attacker then took advantage of the “dangerous and unstable default settings” in Microsoft software to gain an increase in access to the most sensitive parts of Ascension’s network.
This involved the use of a technique called KerberoAsting, which targeted the Kerberos authentication protocol, extracting encrypted service account credentials from Active Directory.
KerberoAsting “exploits the volatile encryption technology of the 1980s known as “RC4,” which is still supported by Microsoft software in its default configuration,” added Wyden’s Office, which urged Microsoft to warn customers about the threat posed by the threat on July 29, 2024.
RC4 stands for Rivest Cipher 4 and is a stream cipher first developed in 1987. Originally it was intended as a trade secret. It was leaked on a public forum in 1994. As of 2015, the Engineering Task Force (ETF) banned the use of RC4 in TLS, citing “various distortions.”
Finally, in October 2024, Microsoft published an alert outlining the steps users can protect, in addition to stating plans to blame plans to denounce RC4 support as a future update for Windows 11 24H2 and Windows Server 2025 –
The accounts that are most vulnerable to KerberoAsting are those with weak passwords and those using encryption algorithms, especially RC4. RC4 does not use salt or iterative hash when converting passwords to encryption keys, making it susceptible to cyber attacks and allows cyber threat actors to guess more passwords more quickly.
However, when using weak passwords, other encryption algorithms are still vulnerable. AD does not try to use RC4 by default, but RC4 is currently enabled by default. This means that the CyberThreat Actor will try to request an encrypted ticket using RC4. RC4 is deprecated and I intend to disable it by default in future updates for Windows 11 24H2 and Windows Server 2025.
Microsoft, which removed support for Kerberos data encryption standard (DES) for Windows Server 2025 and Windows 11, said it introduced security improvements for Server 2025 version 24H2 at the beginning of February.
Some of Microsoft’s recommended mitigations to enhance the environment for kerberoasting are –
- Use a Group Managed Service Account (GMSA) or Delegated Managed Service Account (DMSA) wherever possible
- Protect your service account by randomly generating long passwords that are at least 14 characters long
- Ensure that all service accounts are configured to use AES (128 and 256 bits) for Kerberos service ticket encryption
- Audit user accounts using service principal names (SPNs)
However, Wyden writes that Microsoft’s software doesn’t force a 14-character password length for privileged accounts, and that the company’s ongoing support for unstable RC4 encryption technology will “unnecessarily expose” customers to ransomware and other cyber threats by attackers cracking the password for privileged accounts.
Hacker news contacted Microsoft for comment. If you’ve heard of it, I’ll update the story. This is not the first time a Windows maker has been blown up under cybersecurity practices.
In a report released last year, the US Cyber Safety Review Board (CSRB) blamed the company for a series of avoidable errors that could prevent a Chinese threat actor known as Storm-0558 from breaching the online mailboxes of 22 organizations and more than 500 individuals around the world.
“In the end, Microsoft’s Abysmal Cybersecurity performance did not affect its favourable federal contracts due to its dominant market position and government inaction, facing a series of security failures from the company,” Wyden’s Office argued.
“This letter highlights the longstanding tensions in enterprise cybersecurity: a balance between support for legacy systems and defaults to secure design,” said Ensar Seker, CISO at Socradar. “It concerns systematic risks inherited from the complexity of default configurations and the architecture of widely adopted software ecosystems like Microsoft. Once a single vendor is the basis of a national infrastructure, a decision on security design, or lack of it, can have consequences.”
“In the end, this is not to blame one company. It is to recognize that national security is closely tied to the defaults in the configuration of dominant IT platforms. Business and public sector agencies need to be prepared to request a safer default and adapt when offered.”
