U.S. Senator accuses Microsoft of “gross cybersecurity negligence”
U.S. Senator Ron Wyden has sent a letter to the Federal Trade Commission (FTC) requesting the agency to investigate Microsoft for failing to provide adequate security in its products, which led to ransomware attacks against healthcare organizations.
The Senator started the formal asking by saying that Microsoft should be held "responsible for its gross cybersecurity negligence, resulting in ransomware attacks against critical infrastructure, including U.S. health care organizations."
The Senator highlights Microsoft’s prolonged failure to take decisive action to effectively mitigate well-documented security risks in its products, resulting in attacks such as the 2024 Ascension Health ransomware breach, which compromised data of 5.6 million patients.
The incident, which occurred in May 2024, unfolded when a contractor clicked a malicious Bing Search result in Microsoft Edge, allowing hackers to carry out a “Kerberoasting” attack.
Kerberos is a network authentication protocol that gives users and services access to network resources by verifying their identity without a password exchange.
Kerberoasting is a post-compromise technique that lets attackers steal encrypted service account credentials from Microsoft Active Directory.
It takes advantage of weak or easy-to-guess passwords, sometimes encrypted with the insecure and deprecated RC4 algorithm, that can be decrypted with readily available brute-force tools.
After decrypting the password, the attacker can use it to escalate privileges and move laterally on the compromised network, as in the case of the Ascension Health breach.
The Senator says his team spoke with Microsoft in July 2024, urging the tech giant to warn customers of the dangers of using RC4 instead of more robust options like AES 128/256, and to make the latter the default setting.
Microsoft responded with a blog post published in October, which the Senator said was highly technical and failed to clearly convey the warning to decision-makers within companies.
The RC4 encryption algorithm is still an option in Kerberos, despite being a weak cipher with vulnerabilities that allow recovering plaintext information.
It is worth noting that Microsoft pledged to strengthen security in its products. RC4 continues to be present in Kerberos to suport older systems that do not accept newer, safer algorithms.
Wyden explicitly frames Microsoft’s practices as a serious national security risk, expressing certainty that more high-impact incidents will occur unless the FTC intervenes.
“Without timely action, Microsoft’s culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable” - Senator Ron Wyden
BleepingComputer has contacted Microsoft with a request for a comment on this development, and a spokesperson sent us the following statement:
"RC4 is an old standard, and we discourage its use both in how we engineer our software and in our documentation to customers – which is why it makes up less than .1% of our traffic. However, disabling its use completely would break many customer systems."
The company is actively working to gradually remove the algorithm without creating any disruption to customers, and is warning against it as well as providing advice for using the algorithm "in the safest ways possible."
"We have it on our roadmap to ultimately disable its use. We’ve engaged with the Senator’s office on this issue and will continue to listen and answer questions from them or others in government," a Microsoft spokesperson told BleepingComputer.
The FTC has not publicly responded to Wyden’s request yet.
