US Senator Ron Wyden has urged the Federal Trade Commission to launch an investigation into Microsoft for what he describes as “gross cybersecurity negligence” that enabled a devastating ransomware attack against Ascension Health and continues to pose a systemic risk to US national security.
The complaint centers on Microsoft's failure to disable outdated cryptographic defaults in Active Directory, which allowed hackers to exploit a decade-old attack vector known as Kerberoasting.
According to Wyden's letter, sent to the FTC, the ransomware incident began in February 2024, when a contractor using a Microsoft Edge browser clicked on a malicious link in a Bing search result. The malware downloaded at that moment allowed attackers to infiltrate Ascension Health's network, escalate privileges via Microsoft's Active Directory, and ultimately deploy ransomware across thousands of machines. The attackers also exfiltrated the personal data of 5.6 million patients.
The critical pivot point in the breach was the attackers' use of Kerberoasting, a well-documented attack method that takes advantage of Microsoft's continued support for RC4, a deprecated encryption algorithm introduced in the 1980s. Though RC4 has been widely criticized by security experts, including Microsoft's own, and replaced by stronger options like AES (Advanced Encryption Standard), Microsoft has yet to make AES the default in its Windows configuration.
Kerberoasting targets service account tickets issued by Microsoft's Kerberos authentication protocol within Active Directory. If a service account is protected by a weak, human-generated password and uses RC4, attackers can request encrypted Kerberos tickets and perform offline brute-force attacks to recover the password in minutes using GPU hardware. In contrast, tickets encrypted using AES and derived from long, random passwords are much harder to crack.
Ascension Health, a large non-profit healthcare provider operating in 19 US states, fell victim to this vulnerability due to insecure defaults in Microsoft's software. Once inside the network, attackers gained administrative access, disabled defenses, deployed ransomware, and stole sensitive data, all due to a default configuration Microsoft chose not to warn customers about.
Despite being notified by Senator Wyden's office during a July 2024 briefing, Microsoft delayed releasing any meaningful guidance or updates. The company published a blog post in October 2024 recommending mitigations, such as enforcing stronger passwords and disabling RC4, but stopped short of automatically applying safer defaults or issuing a comprehensive warning to customers. As of September 2025, nearly a year later, Microsoft has not yet delivered the promised security update to disable RC4 system-wide.
Wyden's letter sharply criticizes this inaction, describing Microsoft's approach as “akin to an arsonist selling firefighting services to their victims.” He notes that Microsoft profits from selling security add-ons to mitigate vulnerabilities it created, all while maintaining a near-monopoly on enterprise operating systems. This, Wyden warns, places both public and private institutions in a precarious position, unable to abandon Microsoft software even after serious breaches.
The issue has not gone unnoticed by the broader cybersecurity community. Agencies such as CISA, the NSA, and international partners have repeatedly issued alerts warning about Kerberoasting and urging organizations to disable RC4. In contrast, Microsoft's response has been quiet, technically dense, and insufficiently publicized, failing to reach non-technical executives or IT decision-makers in high-risk sectors like healthcare.
The FTC has yet to respond publicly to Wyden's request, but the senator makes clear that Microsoft's persistent support for outdated, insecure cryptographic defaults and its reluctance to force necessary upgrades constitute a national security risk. He calls on regulators to hold the company accountable and investigate whether its software practices violate consumer protection laws.
Leave a Reply