A fresh firestorm has erupted over Microsoft’s handling of cybersecurity risks, with U.S. Senator Ron Wyden (D-OR) calling on the Federal Trade Commission (FTC) to investigate the company for what he described as “gross cybersecurity negligence” that enabled ransomware attacks on critical infrastructure, including healthcare providers.
In a letter sent to FTC Chair Andrew Ferguson on Wednesday, Wyden accused Microsoft of shipping insecure software defaults that leave hospitals, government agencies and corporations vulnerable to hacking techniques like Kerberoasting. He pointed to the 2024 ransomware attack against Ascension, one of the largest nonprofit health systems in the United States, as a prime example.
According to Wyden’s office, the Ascension breach began when a contractor clicked on a malicious link in Bing search results while using Microsoft’s Edge browser. The incident quickly escalated as attackers leveraged Microsoft Active Directory, a core identity system, to gain administrative privileges, deploy ransomware across thousands of machines and exfiltrate data from 5.6 million patients.
Also read: Single Click, Big Disruption: Employee Download Triggers Ascension Cyberattack
“The hackers exploited a technique called Kerberoasting,” Wyden wrote, describing how attackers abused Microsoft’s continued default support for RC4, a decades-old and widely discredited encryption algorithm. Despite warnings from federal agencies and its own experts, Microsoft still has not disabled RC4 by default. Instead, the company requires administrators to manually enforce stronger standards such as AES encryption and long passwords.
A Known Threat, Little Action
Kerberoasting works by cracking weakly encrypted service account credentials in Active Directory, allowing attackers to escalate privileges rapidly. Agencies including CISA, the FBI, and NSA have repeatedly urged organizations to disable RC4, with guidance published as recently as late 2024. But Wyden says Microsoft has dragged its feet:
-
His staff asked Microsoft in mid-2024 to issue clear warnings and provide an update disabling RC4.
-
Microsoft eventually posted a blog in October 2024 with mitigation steps, but it was buried in a technical corner of the website and received little visibility.
-
Nearly a year later, the promised patch has yet to arrive.
“Because of dangerous software engineering decisions by Microsoft, which the company has largely hidden from its corporate and government customers, a single individual clicking on the wrong link can result in an organization-wide ransomware infection,” Wyden wrote.
Also read: Microsoft’s Very Bad Day: Congress Members Express ‘Shock’ at Lax Security
A Pattern of Security Failures
The letter also referenced a series of high-profile Microsoft-linked security lapses. In 2023, Chinese state-backed hackers exploited Microsoft cloud vulnerabilities to breach U.S. government email accounts, leading the Cyber Safety Review Board to declare the company’s “security culture inadequate.” Just months ago, another flaw in Microsoft’s SharePoint software was reportedly abused by Beijing-linked groups.
Read: Chinese Hackers Now Exploiting SharePoint Zero-Days to Deploy Warlock Ransomware: MSFT
Wyden framed Microsoft’s approach as a business model problem. The company profits not by delivering secure software, but by upselling customers on premium security add-ons after they’ve been exposed. “Microsoft has become like an arsonist selling firefighting services to their victims,” he remarked.
A Monopoly Problem Meets National Security
Wyden’s argument is rooted in Microsoft’s dominance. With Windows and Active Directory entrenched in enterprises worldwide, customers have little choice but to rely on Microsoft’s defaults—even if those defaults expose them to ransomware. The senator urged the FTC to step in, citing its mandate to curb unfair business practices and deceptive conduct.
National security agencies have echoed his concerns. A September 2024 joint guide from CISA, NSA, and Australian security authorities devoted significant focus to defending against Active Directory exploitation, naming Kerberoasting as the top threat. Yet despite the mounting warnings, Wyden argues Microsoft has resisted meaningful fixes.
The 2024 attack disrupted hospital operations across multiple states, delaying treatments and threatening lives.
Read: Ascension Healthcare Hit by Cyberattack: Patients Wait Hours, Chaos Ensues
Ransomware attacks in the U.S. rose 15% last year, with healthcare and critical infrastructure repeatedly in the crosshairs. By continuing to support outdated encryption defaults, Wyden argued, Microsoft is amplifying systemic risk.
“Without timely action, Microsoft’s culture of negligent cybersecurity … poses a serious national security threat and makes additional hacks inevitable,” he warned.
