U.S. Senator Ron Wyden has called on the Federal Trade Commission (FTC) to probe Microsoft and hold it responsible for what he called “gross cybersecurity negligence” that enabled ransomware attacks on U.S. critical infrastructure, including against healthcare networks.
“Without timely action, Microsoft’s culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable,” Wyden wrote in a four-page letter to FTC Chairman Andrew Ferguson, likening Redmond to an “arsonist selling firefighting services to their victims.”
The development comes after Wyden’s office obtained new information from healthcare system Ascension, which suffered a crippling ransomware attack last year, resulting in the theft of personal and medical information associated with nearly 5.6 million individuals.
The ransomware attack, which also disrupted access to electronic health records, was attributed to a ransomware group known as Black Basta. According to the U.S. Department of Health and Human Services, the breach has been ranked as the third-largest healthcare-related incident over the past year.
According to the senator’s office, the breach occurred when a contractor clicked on a malicious link after conducting a web search on Microsoft’s Bing search engine, causing their system to be infected with malware. Subsequently, the attackers leveraged “dangerously insecure default settings” on Microsoft software to obtain elevated access to the most sensitive parts of Ascension’s network.
This involved the use of a technique called Kerberoasting that targets the Kerberos authentication protocol to extract encrypted service account credentials from Active Directory.
Kerberoasting “exploits an insecure encryption technology from the 1980s known as ‘RC4’ that is still supported by Microsoft software in its default configuration,” Wyden’s office said, adding it urged Microsoft to warn customers about the threat posed by the threat on July 29, 2024.
RC4, short for Rivest Cipher 4, is a stream cipher that was first developed in 1987. Originally intended to be a trade secret, it was leaked in a public forum in 1994. As of 2015, the Engineering Task Force (ETF) has prohibited the use of RC4 in TLS, citing a “variety of cryptographic weaknesses” that allow plaintext recovery.
Eventually, Microsoft did publish an alert in October 2024 outlining the steps users can take to stay protected, in addition to stating its plans to deprecate support for RC4 as a future update to Windows 11 24H2 and Windows Server 2025 –
The accounts most vulnerable to Kerberoasting are those with weak passwords and those that use weaker encryption algorithms, especially RC4. RC4 is more susceptible to the cyberattack because it uses no salt or iterated hash when converting a password to an encryption key, allowing the cyberthreat actor to guess more passwords quickly.
However, other encryption algorithms are still vulnerable when weak passwords are used. While AD will not try to use RC4 by default, RC4 is currently enabled by default, meaning a cyberthreat actor can attempt to request tickets encrypted using RC4. RC4 will be deprecated, and we intend to disable it by default in a future update to Windows 11 24H2 and Windows Server 2025.
Microsoft, which removed support for the Data Encryption Standard (DES) in Kerberos for Windows Server 2025 and Windows 11, version 24H2 earlier this February, said it has also introduced security improvements in Server 2025 that prevent the Kerberos Distribution Center from issuing Ticket Granting Tickets using RC4 encryption, such as RC4-HMAC(NT).
Some of Microsoft’s recommended mitigations to harden environments against Kerberoasting attacks include –
- Using Group Managed Service Accounts (gMSA) or Delegated Managed Service Accounts (dMSA) wherever possible
- Securing service accounts by setting randomly generated, long passwords that are at least 14 characters long
- Making sure all service accounts are configured to use AES (128 and 256 bit) for Kerberos service ticket encryption
- Auditing user accounts with Service Principal Names (SPNs)
However, Wyden wrote that Microsoft’s software does not enforce a 14-character password length for privileged accounts, and that the company’s continued support for the insecure RC4 encryption technology “needlessly exposes” its customers to ransomware and other cyber threats by allowing attackers to crack the passwords of privileged accounts.
When reached for comment, Microsoft shared the below statement with The Hacker News –
RC4 is an old standard, and we discourage its use both in how we engineer our software and in our documentation to customers – which is why it makes up less than 0.1% of our traffic. However, disabling its use completely would break many customer systems. For this reason, we’re on a path to gradually reduce the extent to which customers can use it, while providing strong warnings against it and advice for using it in the safest ways possible. We have it on our roadmap to ultimately disable its use. We’ve engaged with The Senator’s office on this issue and will continue to listen and answer questions from them or others in government.
The company noted that any new installations of Active Directory Domains using Windows Server 2025 will have RC4 disabled by default starting Q1 of 2026, adding new domains will inherently be protected against attacks relying on RC4 weaknesses. It also said it plans to include additional mitigations for existing in-market deployments keeping compatibility and continuity of critical customer services in mind.
This is not the first time the Windows maker has been blasted for its cybersecurity practices. In a report released last year, U.S. Cyber Safety Review Board (CSRB) lambasted the company for a series of avoidable errors that could have prevented Chinese threat actors known as Storm-0558 from compromising the Microsoft Exchange Online mailboxes of 22 organizations and over 500 individuals around the world.
“Ultimately, Microsoft’s abysmal cybersecurity track record has had no impact on its lucrative federal contracts thanks to its dominant market position and inaction by government agencies in the face of the company’s string of security failures,” Wyden’s office argued.
“The letter underscores a long-standing tension in enterprise cybersecurity, the balance between legacy system support and secure-by-default design,” Ensar Seker, CISO at SOCRadar, said. “It’s about systemic risk inherited from default configurations and the architectural complexity of widely adopted software ecosystems like Microsoft’s. When a single vendor becomes foundational to national infrastructure, their security design decisions, or lack thereof, can have cascading consequences.”
“Ultimately, this isn’t about blaming one company. It’s about recognizing that national security is now tightly coupled with the configuration defaults of dominant IT platforms. Enterprises and public sector agencies alike need to demand more secure-by-design defaults and be ready to adapt when they’re offered.”
(The story was updated after publication to include a response from Microsoft.)
