U.S. Senator Ron Wyden on Wednesday urged the Federal Trade Commission to open an investigation into Microsoft, accusing the company of “gross cybersecurity negligence” that Wyden says has enabled ransomware attacks on U.S. critical infrastructure, including healthcare networks. In a four-page letter to FTC Chairman Andrew Ferguson, Wyden likened the company to an “arsonist selling firefighting services to their victims.”
The push follows new information from Ascension, a major healthcare system that suffered a crippling ransomware attack last year, resulting in the theft of personal and medical information tied to nearly 5.6 million individuals and disruption to electronic health records. The breach has been characterized as the third-largest healthcare-related incident in the past year by the U.S. Department of Health and Human Services. The breach has been flagged as a major incident by health authorities, with details in the OCR breach report.
Wyden’s office said the breach occurred when a contractor clicked a malicious link after conducting a web search on Microsoft’s Bing search engine, allowing attackers to gain elevated access by exploiting dangerously insecure default settings in Microsoft software. The attackers allegedly used a technique known as Kerberoasting to extract encrypted service account credentials from Active Directory.
Kerberoasting takes advantage of an insecure encryption technology from the 1980s known as RC4, which is still supported by Microsoft software in default configurations. RC4 has long been criticized for cryptographic weaknesses. Microsoft acknowledged the risk and published guidance in October 2024 to help mitigate Kerberoasting, including plans to deprecate RC4 in future updates to Windows 11 24H2 and Windows Server 2025.
Microsoft has also moved to remove DES support in Kerberos for Windows Server 2025 and Windows 11, and has introduced security improvements in Server 2025 that prevent the Kerberos Distribution Center from issuing Ticket Granting Tickets using RC4-based encryption, such as RC4-HMAC.
Experts cautioned that a combination of insecure default configurations and a dominant vendor in the enterprise operating-system market creates systemic risk for national security. The discussion includes analyses from security researchers who stress the need for secure-by-default designs and more robust password policies for privileged accounts.