U.S. Senator Ron Wyden has despatched a letter to the Federal Commerce Fee (FTC) requesting the company to research Microsoft for failing to supply enough safety in its merchandise, which led to ransomware assaults in opposition to healthcare organizations.
The Senator began the formal asking by saying that Microsoft must be held “liable for its gross cybersecurity negligence, leading to ransomware assaults in opposition to vital infrastructure, together with U.S. well being care organizations.”
The Senator highlights Microsoft’s extended failure to take decisive motion to successfully mitigate well-documented safety dangers in its merchandise, leading to assaults such because the 2024 Ascension Well being ransomware breach, which compromised knowledge of 5.6 million sufferers.
The incident, which occurred in Might 2024, unfolded when a contractor clicked a malicious Bing Search lead to Microsoft Edge, permitting hackers to hold out a “Kerberoasting” assault.
Kerberos is a community authentication protocol that provides customers and providers entry to community sources by verifying their identification with no password change.
Kerberoasting is a post-compromise method that lets attackers steal encrypted service account credentials from Microsoft Lively Listing.
It takes benefit of weak or easy-to-guess passwords, typically encrypted with the insecure and deprecated RC4 algorithm, that may be decrypted with available brute-force instruments.
After decrypting the password, the attacker can use it to escalate privileges and transfer laterally on the compromised community, as within the case of the Ascension Well being breach.
The Senator says his workforce spoke with Microsoft in July 2024, urging the tech big to warn prospects of the risks of utilizing RC4 as an alternative of extra sturdy choices like AES 128/256, and to make the latter the default setting.
Microsoft responded with a weblog put up printed in October, which the Senator mentioned was extremely technical and failed to obviously convey the warning to decision-makers inside firms.
The RC4 encryption algorithm remains to be an choice in Kerberos, regardless of being a weak cipher with vulnerabilities that permit recovering plaintext data.
It’s price noting that Microsoft pledged to strengthen safety in its merchandise. RC4 continues to be current in Kerberos to suport older methods that don’t settle for newer, safer algorithms.
Wyden explicitly frames Microsoft’s practices as a severe nationwide safety danger, expressing certainty that extra high-impact incidents will happen until the FTC intervenes.
“With out well timed motion, Microsoft’s tradition of negligent cybersecurity, mixed with its de facto monopolization of the enterprise working system market, poses a severe nationwide safety risk and makes further hacks inevitable” – Senator Ron Wyden
BleepingComputer has contacted Microsoft with a request for a touch upon this growth, and a spokesperson despatched us the next assertion:
“RC4 is an previous commonplace, and we discourage its use each in how we engineer our software program and in our documentation to prospects – which is why it makes up lower than .1% of our site visitors. Nonetheless, disabling its use utterly would break many buyer methods.”
The corporate is actively working to step by step take away the algorithm with out creating any disruption to prospects, and is warning in opposition to it in addition to offering recommendation for utilizing the algorithm “within the most secure methods potential.”
“We now have it on our roadmap to finally disable its use. We’ve engaged with the Senator’s workplace on this concern and can proceed to pay attention and reply questions from them or others in authorities,” a Microsoft spokesperson advised BleepingComputer.
The FTC has not publicly responded to Wyden’s request but.
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration traits.
