U.S. Senator Ron Wyden has despatched a letter to the Federal Commerce Fee (FTC) requesting the company to analyze Microsoft for failing to supply satisfactory safety in its merchandise, which led to ransomware assaults towards healthcare organizations.
The Senator began the formal asking by saying that Microsoft ought to be held “liable for its gross cybersecurity negligence, leading to ransomware assaults towards essential infrastructure, together with U.S. well being care organizations.”
The Senator highlights Microsoft’s extended failure to take decisive motion to successfully mitigate well-documented safety dangers in its merchandise, leading to assaults such because the 2024 Ascension Well being ransomware breach, which compromised information of 5.6 million sufferers.
The incident, which occurred in Could 2024, unfolded when a contractor clicked a malicious Bing Search lead to Microsoft Edge, permitting hackers to hold out a “Kerberoasting” assault.
Kerberos is a community authentication protocol that offers customers and companies entry to community sources by verifying their identification with out a password alternate.
Kerberoasting is a post-compromise approach that lets attackers steal encrypted service account credentials from Microsoft Energetic Listing.
It takes benefit of weak or easy-to-guess passwords, generally encrypted with the insecure and deprecated RC4 algorithm, that may be decrypted with available brute-force instruments.
After decrypting the password, the attacker can use it to escalate privileges and transfer laterally on the compromised community, as within the case of the Ascension Well being breach.
The Senator says his group spoke with Microsoft in July 2024, urging the tech big to warn prospects of the risks of utilizing RC4 as a substitute of extra sturdy choices like AES 128/256, and to make the latter the default setting.
Microsoft responded with a weblog publish revealed in October, which the Senator stated was extremely technical and failed to obviously convey the warning to decision-makers inside corporations.
The RC4 encryption algorithm continues to be an choice in Kerberos, regardless of being a weak cipher with vulnerabilities that permit recovering plaintext info.
It’s value noting that Microsoft pledged to strengthen safety in its merchandise. RC4 continues to be current in Kerberos to suport older programs that don’t settle for newer, safer algorithms.
Wyden explicitly frames Microsoft’s practices as a critical nationwide safety danger, expressing certainty that extra high-impact incidents will happen until the FTC intervenes.
“With out well timed motion, Microsoft’s tradition of negligent cybersecurity, mixed with its de facto monopolization of the enterprise working system market, poses a critical nationwide safety menace and makes extra hacks inevitable” – Senator Ron Wyden
BleepingComputer has contacted Microsoft with a request for a touch upon this improvement, and a spokesperson despatched us the next assertion:
“RC4 is an outdated normal, and we discourage its use each in how we engineer our software program and in our documentation to prospects – which is why it makes up lower than .1% of our site visitors. Nevertheless, disabling its use fully would break many buyer programs.”
The corporate is actively working to steadily take away the algorithm with out creating any disruption to prospects, and is warning towards it in addition to offering recommendation for utilizing the algorithm “within the most secure methods attainable.”
“We have now it on our roadmap to in the end disable its use. We’ve engaged with the Senator’s workplace on this challenge and can proceed to pay attention and reply questions from them or others in authorities,” a Microsoft spokesperson informed BleepingComputer.
The FTC has not publicly responded to Wyden’s request but.
46% of environments had passwords cracked, almost doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and information exfiltration tendencies.
