U.S. Senator Ron Wyden has sent a letter to the Federal Trade Commission (FTC) requesting the agency to investigate Microsoft for failing to provide adequate security in its products, which led to ransomware attacks against healthcare organizations.
The Senator started the formal asking by saying that Microsoft should be held “responsible for its gross cybersecurity negligence, resulting in ransomware attacks against critical infrastructure, including U.S. health care organizations.”
The Senator highlights Microsoft’s prolonged failure to take decisive action to effectively mitigate well-documented security risks in its products, resulting in attacks such as the 2024 Ascension Health ransomware breach, which compromised data of 5.6 million patients.
The incident, which occurred in May 2024, unfolded when a contractor clicked a malicious Bing Search result in Microsoft Edge, allowing hackers to carry out a “Kerberoasting” attack.
Kerberos is a network authentication protocol that gives users and services access to network resources by verifying their identity without a password exchange.
Kerberoasting is a post-compromise technique that lets attackers steal encrypted service account credentials from Microsoft Active Directory.
It takes advantage of weak or easy-to-guess passwords, sometimes encrypted with the insecure and deprecated RC4 algorithm, that can be decrypted with readily available brute-force tools.
After decrypting the password, the attacker can use it to escalate privileges and move laterally on the compromised network, as in the case of the Ascension Health breach.
The Senator says his team spoke with Microsoft in July 2024, urging the tech giant to warn customers of the dangers of using RC4 instead of more robust options like AES 128/256, and to make the latter the default setting.
Microsoft responded with a blog post published in October, which the Senator said was highly technical and failed to clearly convey the warning to decision-makers within companies.
The RC4 encryption algorithm is still an option in Kerberos, despite being a weak cipher with vulnerabilities that allow recovering plaintext information.
It is worth noting that Microsoft pledged to strengthen security in its products. RC4 continues to be present in Kerberos to suport older systems that do not accept newer, safer algorithms.
Wyden explicitly frames Microsoft’s practices as a serious national security risk, expressing certainty that…
Click Here to Read the Full Original Article at BleepingComputer…