Don’t miss out on our latest stories. Add PCMag as a preferred source on Google.
A US senator is accusing Microsoft of “gross cybersecurity negligence,” claiming the company left healthcare providers vulnerable to attacks, including the ransomware incident that struck Ascension last year.
On Wednesday, Sen. Ron Wyden (D-Ore.) sent a letter to the Federal Trade Commission, calling for an investigation into Microsoft and its role in the Ascension breach, in which hackers stole data on 5.6 million users. The attack was traced to an employee downloading a malicious file that was thought to be legitimate. However, Wyden argues Microsoft also deserves some of the blame because of its continued use of an older encryption technology.
(Photo by Anna Moneymaker/Getty Images)
According to Wyden, the Ascension contractor downloaded the malware after conducting “a search using Microsoft’s Bing search engine, which Microsoft’s Edge web browser uses by default. “The contractor clicked on a malicious link from one of the search results, which resulted in them inadvertently downloading and opening malware.”
The malware, which was installed on the contractor’s laptop, then gave the hackers a way to infiltrate Ascension’s network and eventually spread ransomware to thousands of other computers at the healthcare provider.
The problem is that Microsoft could’ve curbed the breach if it had patched an encryption-related vulnerability dubbed “Kerberoasting” in the company’s software. Thanks to the flaw, the hackers were able to crack the credentials and gain administrative privileges to accounts on Ascension’s Microsoft Active Directory server, which can be harnessed to manage user accounts and applications over a company’s network.
Kerberoasting lets attackers steal Active Directory passwords partly by exploiting weak, outdated encryption, which Wyden is now calling out. “This hacking technique leverages Microsoft’s continued support by default for an insecure encryption technology from the 1980s called RC4 that federal agencies and cybersecurity experts, including experts working for Microsoft, have for more than a decade warned is dangerous,” he wrote.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
“According to Microsoft, this threat can be mitigated by setting long passwords that are at least 14 characters long, but Microsoft’s software does not require such a password length for privileged accounts,” he added.
After the Ascension breach became public, Wyden said his staff spoke with Microsoft in July 2024 and urged it to warn enterprise customers about the Kerberoasting threat, which the company did in October. A blog post at the time also said Microsoft planned on deprecating RC4 and disabling it by default “in a future update to Windows 11 24H2 and Windows Server 2025.”
Recommended by Our Editors
But in his letter, Wyden wrote: “Eleven months later, Microsoft has yet to release that promised security update.” He also faulted the company for doing little to promote its blog post about the Kerberoasting threat. “As such, it is highly likely that most companies, government agencies, and nonprofits that are Microsoft customers remain vulnerable to Kerberoasting,” he said.
Microsoft didn’t immediately respond to a request for comment. But it’s not the first time Wyden has slammed Redmond over alleged security failings. In 2023, he also demanded a federal investigation into the company after state-sponsored hackers breached US government systems, partly by exploiting Microsoft software.
In his latest letter, Wyden added: “The Ascension hack illustrates how it is Microsoft’s customers, and, ultimately, the public, who bear the cost of Microsoft’s dangerous software engineering practices and the company’s refusal to inform its customers about the pressing need to adopt important cybersecurity safeguards.”
The FTC didn’t immediately respond to a request for comment.
About Michael Kan
Senior Reporter
