Sen. Wyden Demands FTC Probe Into Ascension Ransomware Attack
▼ Summary
– US Senator Ron Wyden has called for an FTC investigation into Microsoft’s cybersecurity lapses related to ransomware attacks on critical infrastructure, including the 2024 Ascension hospital hack.
– The breach began when a contractor clicked a malicious Bing search result link, which infected their laptop with malware.
– Attackers exploited Microsoft’s default settings and outdated RC4 encryption support to gain administrative access, exposing 5.6 million patients’ data.
– Wyden’s staff warned Microsoft about the vulnerability in July 2024, but nearly a year later no software update has been released and customers haven’t been directly warned.
– Wyden argues Microsoft’s negligent cybersecurity culture combined with its market dominance poses a serious national security threat and makes additional hacks inevitable.
The recent ransomware attack on Ascension, one of the nation’s largest healthcare networks, has prompted Senator Ron Wyden to formally request a Federal Trade Commission investigation into Microsoft’s cybersecurity practices. The incident, which compromised the personal information of 5.6 million patients, underscores growing concerns about the security of widely used enterprise software and its implications for critical infrastructure.
According to reports, the breach originated when a contractor unintentionally clicked a malicious link displayed in a Bing search result, infecting their device with malware. Attackers then exploited default configurations in Microsoft’s software to gain administrative privileges across Ascension’s network. A technique called “Kerberoasting” was used, taking advantage of Microsoft’s continued support for the outdated RC4 encryption protocol. Although a more secure encryption alternative exists, it is not enabled by default in the company’s systems.
Staff from Senator Wyden’s office reportedly alerted Microsoft to this vulnerability in July 2024. The company published a blog post addressing the threat three months later and promised a software update. However, nearly a year has passed with no patch released, and Microsoft has not proactively warned its customers about the risk.
Microsoft’s dominant market position in operating systems grants it significant influence over default security settings, a fact that has drawn sharp criticism from Wyden. In a letter to the FTC, the senator emphasized that the company’s “culture of negligent cybersecurity,” combined with its near-monopoly in enterprise software, presents a serious national security threat. He warned that without meaningful intervention, further attacks are inevitable.
This is not the first time Wyden has pushed for accountability from Microsoft. Previous assessments, including one from the Cyber Safety Review Board, concluded that the company’s security culture is inadequate and in need of fundamental change. Despite repeated high-profile breaches, Microsoft continues to secure valuable government contracts.
Experts note that the issue extends beyond a single human error or outdated technology. Ensar Seker, CISO at cybersecurity firm SOCRadar, observed that the incident reflects systemic risk stemming from default configurations and the inherent complexity of large software ecosystems like Microsoft’s.
Ransomware attacks in the U.S. saw a sharp increase in 2024, with more than 5,000 incidents reported, a 15 percent rise from the previous year. Half of these attacks targeted American organizations, including hospitals, government agencies, and private companies. The disruption at Ascension illustrates the very real human consequences of insecure software, endangering patient care and exposing highly sensitive data.
Wyden’s appeal to the FTC emphasizes the urgency of holding Microsoft responsible for what he describes as systemic failures that threaten both public safety and national security.
(Source: Info Security)
