Senator Accuses Microsoft of “Gross Cybersecurity Negligence”
▼ Summary
– Senator Ron Wyden has requested the FTC investigate Microsoft for inadequate product security that led to ransomware attacks on healthcare organizations.
– He specifically cited Microsoft’s negligence in mitigating security risks, using the Ascension Health breach that compromised 5.6 million patient records as an example.
– The breach occurred when a contractor clicked a malicious Bing result, enabling hackers to perform a Kerberoasting attack exploiting weak RC4 encryption.
– Wyden criticized Microsoft’s technical October blog response as insufficient for warning decision-makers and urged defaulting to stronger encryption like AES.
– Microsoft acknowledges RC4’s risks but maintains limited usage, stating complete removal would disrupt systems while working on a gradual disablement plan.
A United States senator has formally called for a federal investigation into Microsoft’s cybersecurity practices, citing what he describes as a pattern of negligence that has left critical infrastructure vulnerable to attack. Senator Ron Wyden has urged the Federal Trade Commission to hold the tech giant accountable for security failures that contributed to ransomware incidents targeting healthcare providers and other essential services.
In a strongly worded letter, Wyden accused Microsoft of gross cybersecurity negligence, arguing that the company’s failure to address known vulnerabilities enabled hackers to infiltrate systems and compromise sensitive data. He pointed specifically to the May 2024 ransomware attack on Ascension Health, which exposed the personal information of 5.6 million patients. The breach began when a contractor clicked a malicious link in a Bing search result using Microsoft Edge, giving attackers an entry point into the network.
The intruders then employed a technique known as Kerberoasting, which exploits weaknesses in the Kerberos authentication protocol. Kerberos is designed to verify user identities without transmitting passwords, but when outdated encryption like RC4 is used, attackers can intercept and crack service account credentials. Using widely available decryption tools, hackers can reveal weak passwords and gain broader access to systems, moving laterally through the network as occurred in the Ascension incident.
Wyden’s office raised concerns with Microsoft back in July, pressing the company to warn customers about the risks of relying on RC4 encryption and to adopt more secure alternatives like AES by default. Although Microsoft published a technical blog post in October addressing the issue, the senator criticized the communication as overly complex and ineffective at reaching corporate decision-makers.
While Microsoft has acknowledged that RC4 is an outdated and insecure algorithm, the company continues to support it for compatibility with legacy systems. A spokesperson emphasized that RC4 represents less than 0.1% of the company’s traffic and stated that abruptly disabling it could disrupt customer operations. Microsoft is instead working on a gradual phase-out and has committed to engaging with government officials on the matter.
Despite these assurances, Wyden remains unconvinced. He warned that without regulatory intervention, Microsoft’s dominant market position and perceived lax security culture represent a serious national security threat, making further high-impact cyber incidents inevitable. The FTC has not yet issued a public response to the senator’s request for an investigation.
(Source: Bleeping Computer)