U.S. Senator Ron Wyden has despatched a letter to the Federal Commerce Fee (FTC) requesting the company to research Microsoft for failing to supply sufficient safety in its merchandise, which led to ransomware assaults towards healthcare organizations.
The Senator began the formal asking by saying that Microsoft must be held “liable for its gross cybersecurity negligence, leading to ransomware assaults towards essential infrastructure, together with U.S. well being care organizations.”
The Senator highlights Microsoft’s extended failure to take decisive motion to successfully mitigate well-documented safety dangers in its merchandise, leading to assaults such because the 2024 Ascension Well being ransomware breach, which compromised information of 5.6 million sufferers.
The incident, which occurred in Might 2024, unfolded when a contractor clicked a malicious Bing Search lead to Microsoft Edge, permitting hackers to hold out a “Kerberoasting” assault.
Kerberos is a community authentication protocol that offers customers and providers entry to community sources by verifying their id with no password trade.
Kerberoasting is a post-compromise method that lets attackers steal encrypted service account credentials from Microsoft Energetic Listing.
It takes benefit of weak or easy-to-guess passwords, typically encrypted with the insecure and deprecated RC4 algorithm, that may be decrypted with available brute-force instruments.
After decrypting the password, the attacker can use it to escalate privileges and transfer laterally on the compromised community, as within the case of the Ascension Well being breach.
The Senator says his staff spoke with Microsoft in July 2024, urging the tech large to warn prospects of the hazards of utilizing RC4 as a substitute of extra strong choices like AES 128/256, and to make the latter the default setting.
Microsoft responded with a weblog submit printed in October, which the Senator stated was extremely technical and failed to obviously convey the warning to decision-makers inside firms.
The RC4 encryption algorithm continues to be an choice in Kerberos, regardless of being a weak cipher with vulnerabilities that permit recovering plaintext info.
It’s value noting that Microsoft pledged to strengthen safety in its merchandise. RC4 continues to be current in Kerberos to suport older programs that don’t settle for newer, safer algorithms.
Wyden explicitly frames Microsoft’s practices as a severe nationwide safety threat, expressing certainty that extra high-impact incidents will happen except the FTC intervenes.
“With out well timed motion, Microsoft’s tradition of negligent cybersecurity, mixed with its de facto monopolization of the enterprise working system market, poses a severe nationwide safety risk and makes further hacks inevitable” – Senator Ron Wyden
BleepingComputer has contacted Microsoft with a request for a touch upon this improvement, and a spokesperson despatched us the next assertion:
“RC4 is an previous commonplace, and we discourage its use each in how we engineer our software program and in our documentation to prospects – which is why it makes up lower than .1% of our site visitors. Nonetheless, disabling its use utterly would break many buyer programs.”
The corporate is actively working to regularly take away the algorithm with out creating any disruption to prospects, and is warning towards it in addition to offering recommendation for utilizing the algorithm “within the most secure methods attainable.”
“We’ve got it on our roadmap to finally disable its use. We’ve engaged with the Senator’s workplace on this subject and can proceed to pay attention and reply questions from them or others in authorities,” a Microsoft spokesperson advised BleepingComputer.
The FTC has not publicly responded to Wyden’s request but.
46% of environments had passwords cracked, practically doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and information exfiltration developments.
