U.S. Senator Ron Wyden has urged the Federal Trade Commission (FTC) to investigate Microsoft, accusing the tech giant of “gross cybersecurity negligence” that has facilitated ransomware attacks on critical U.S. infrastructure, particularly targeting healthcare networks. In a detailed four-page letter to FTC Chairman Andrew Ferguson, Wyden expressed concern that Microsoft’s approach to cybersecurity, coupled with its dominant position in the enterprise operating system market, poses a significant national security risk, making future hacks almost inevitable. He likened Microsoft to an “arsonist selling firefighting services to their victims.”
Recent Developments in Cybersecurity Incidents
This call for scrutiny follows the senator’s office obtaining new information regarding a ransomware attack on the healthcare system Ascension, which occurred last year. This incident led to the theft of personal and medical data affecting approximately 5.6 million individuals and disrupted access to electronic health records. The attack was attributed to the Black Basta ransomware group and has been classified by the U.S. Department of Health and Human Services as the third-largest healthcare-related breach in the past year.
According to Wyden’s office, the breach was initiated when a contractor inadvertently clicked on a malicious link while searching on Microsoft’s Bing search engine, resulting in malware infection. The attackers exploited “dangerously insecure default settings” within Microsoft software to gain elevated access to Ascension’s sensitive network areas. They employed a method known as Kerberoasting, which targets the Kerberos authentication protocol to extract encrypted service account credentials from Active Directory.
Kerberoasting takes advantage of an outdated encryption technology, RC4, which Microsoft still supports in its default settings. Wyden’s office noted that this vulnerability could have been mitigated had Microsoft provided adequate warnings to its customers about the risks associated with RC4, especially as it relates to the Kerberos protocol.
RC4, developed in 1987, has long been criticized for its cryptographic weaknesses, leading to its prohibition in TLS by the Engineering Task Force (ETF) in 2015. In response to the growing concerns, Microsoft announced plans to deprecate support for RC4 in future updates to Windows 11 and Windows Server.
Microsoft has since published an alert outlining protective measures for users, emphasizing the importance of strong password policies and the need to secure service accounts. However, Wyden pointed out that Microsoft’s software does not enforce a minimum password length of 14 characters for privileged accounts, thereby exposing customers to increased risks from cyber threats.
- Utilizing Group Managed Service Accounts (gMSA) or Delegated Managed Service Accounts (dMSA) wherever feasible.
- Securing service accounts with randomly generated, long passwords of at least 14 characters.
- Ensuring all service accounts are configured to use AES (128 and 256 bit) for Kerberos service ticket encryption.
- Conducting audits of user accounts with Service Principal Names (SPNs).
In a statement to The Hacker News, Microsoft acknowledged the outdated nature of RC4 and its efforts to discourage its use. The company emphasized that while it plans to gradually phase out RC4, completely disabling it could disrupt existing customer systems. New installations of Active Directory Domains using Windows Server 2025 will have RC4 disabled by default starting in Q1 of 2026, ensuring better protection against attacks that exploit RC4 vulnerabilities.
This incident is not an isolated case; Microsoft has faced criticism in the past regarding its cybersecurity practices. A report from the U.S. Cyber Safety Review Board (CSRB) highlighted a series of preventable errors that allowed Chinese threat actors, known as Storm-0558, to compromise Microsoft Exchange Online mailboxes across multiple organizations globally.
Wyden’s office argues that despite Microsoft’s troubled cybersecurity history, the company’s lucrative federal contracts remain unaffected, largely due to its dominant market position and a lack of action from government agencies in response to its security failures. The senator’s letter reflects a broader concern regarding the intersection of national security and the default configurations of major IT platforms, emphasizing the need for enterprises and public sector agencies to demand more secure designs and be prepared to adapt to evolving cybersecurity challenges.