Don’t miss out on our latest stories. Add PCMag as a preferred source on Google.
A US senator is accusing Microsoft of “gross cybersecurity negligence,” claiming the company left healthcare providers vulnerable to attacks, including the ransomware incident that struck Ascension last year.
On Wednesday, Sen. Ron Wyden (D-Ore.) sent a letter to the Federal Trade Commission, calling for an investigation into Microsoft and its role in the Ascension breach, in which hackers stole data on 5.6 million users. The attack was traced to an employee downloading a malicious file that was thought to be legitimate. However, Wyden argues Microsoft also deserves some of the blame because of its continued use of an older encryption technology.
(Photo by Anna Moneymaker/Getty Images)
According to Wyden, the Ascension contractor downloaded the malware after conducting “a search using Microsoft’s Bing search engine, which Microsoft’s Edge web browser uses by default. “The contractor clicked on a malicious link from one of the search results, which resulted in them inadvertently downloading and opening malware.”
The malware, which was installed on the contractor’s laptop, then gave the hackers a way to infiltrate Ascension’s network and eventually spread ransomware to thousands of other computers at the healthcare provider.
The problem is that Microsoft could’ve curbed the breach if it had patched an encryption-related vulnerability dubbed “Kerberoasting” in the company’s software. Thanks to the flaw, the hackers were able to crack the credentials and gain administrative privileges to accounts on Ascension’s Microsoft Active Directory server, which can be harnessed to manage user accounts and applications over a company’s network.
Kerberoasting lets attackers steal Active Directory passwords partly by exploiting weak, outdated encryption, which Wyden is now calling out. “This hacking technique leverages Microsoft’s continued support by default for an insecure encryption technology from the 1980s called RC4 that federal agencies and cybersecurity experts, including experts working for Microsoft, have for more than a decade warned is dangerous,” he wrote.
“According to Microsoft, this threat can be mitigated by setting long passwords that are at least 14 characters long, but Microsoft’s software does not require such a password length for privileged accounts,” he added.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
After the Ascension breach became public, Wyden said his staff spoke with Microsoft in July 2024 and urged it to warn enterprise customers about the Kerberoasting threat, which the company did in October. A blog post at the time also said Microsoft planned on deprecating RC4 and disabling it by default “in a future update to Windows 11 24H2 and Windows Server 2025.”
But in his letter, Wyden wrote: “Eleven months later, Microsoft has yet to release that promised security update.” He also faulted the company for doing little to promote its blog post about the Kerberoasting threat. “As such, it is highly likely that most companies, government agencies, and nonprofits that are Microsoft customers remain vulnerable to Kerberoasting,” he said.
However, Microsoft pushed back on Wyden’s letter, telling PCMag: “RC4 is an old standard, and we discourage its use both in how we engineer our software and in our documentation to customers – which is why it makes up less than .1% of our traffic.”
Recommended by Our Editors
“However, disabling its use completely would break many customer systems,” the company added. “For this reason, we’re on a path to gradually reduce the extent to which customers can use it, while providing strong warnings against it and advice for using it in the safest ways possible. We have it on our roadmap to ultimately disable its use. We’ve engaged with The Senator’s office on this issue and will continue to listen and answer questions from them or others in government.”
In the meantime, Microsoft said that starting in Q1 any new installations of Active Directory Domains using Windows Server 2025 have had RC4 disabled by default. “We plan to include additional mitigations for existing in-market deployments with considerations for compatibility and continuity of critical customer services,” the company added.
It’s not the first time Wyden has slammed Redmond over alleged security failings. In 2023, he also demanded a federal investigation into the company after state-sponsored hackers breached US government systems, partly by exploiting Microsoft software.
In his latest letter, Wyden added: “The Ascension hack illustrates how it is Microsoft’s customers, and, ultimately, the public, who bear the cost of Microsoft’s dangerous software engineering practices and the company’s refusal to inform its customers about the pressing need to adopt important cybersecurity safeguards.”
The FTC didn’t immediately respond to a request for comment.
About Michael Kan
Senior Reporter
Read the latest from Michael Kan
