A senior lawmaker is calling on federal regulators to take a hard look at Microsoft’s enterprise security practices in the wake of what he called “gross cybersecurity negligence” that led to a ransomware attack crippling care across the nonprofit Ascension health system. In a letter written to the Federal Trade Commission, Senator Ron Wyden called for an investigation into whether Microsoft developed products that were not secure-by-default and caused customers to receive insufficient warnings about known risks.
The Ascension breach compromised personal and health data for an estimated 5.6 million individuals and rippled from one contractor’s laptop into key systems. Wyden claims the blast radius was also expanded as a result of vulnerabilities existing in Microsoft’s id stack — more specifically, through legacy cryptography that was still being supported in widely used Active Directory environments.
Kerberoasting and RC4 in the Middle
Researchers connected the attack’s privilege escalation to so-called Kerberoasting – an age old approach against Microsoft Active Directory that goes after its Kerberos service accounts. If those accounts are also protected with weak or legacy encryption, attackers could request service tickets and use offline cracking to recover the passwords, effectively making that foothold a means for domain-wide takeover.
Wyden blames Microsoft for including support by default for the 1980s RC4 cipher in Kerberos deployment in numerous network domains. Major standards bodies like NIST deprecated RC4 because of its cryptographic vulnerabilities, but it is still around for compatibility. Instead, Microsoft recommends that customers use more complex passwords — longer is better than shorter — and grants the software an easy pass by stating it doesn’t force strong defaults onto privileged accounts, a critical area that the company has punted to already overloaded IT professionals.
Security teams have been sounding the alarm on this path for years. MITRE maps the technique to ATT&CK tactic T1558. 003, and CISA has emphasized the importance of hardening Active Directory to help prevent ransomware: “Disabling RC4, using AES for encryption and having long random service account passwords.”
Microsoft’s Response and Roadmap
Microsoft says it’s working toward deprecating RC4 in Kerberos, but warns that a hard cutoff could break reliant systems. New Active Directory deployments on the latest server release (that is, Windows Server vNext) do not enable support for RC4 by default and there are new mitigations being introduced to in-market environments to strike a balance between security and service availability.
After discussions with congressional staff, Microsoft released guidance on Kerberoasting and signaled its intention to deprecate RC4 and more prominently display safer defaults. Wyden says those promised changes have been slow in coming and that a low-key advisory resulted in many companies not knowing they hadn’t implemented urgent configuration steps. Microsoft says it has communicated with the senator’s office and will remain in consultation with government officials.
Why the F.T.C. Is Being Brought In
The FTC has long been able to bring actions against companies for unfair or deceptive practices, and such failures that place consumers at undue risk could be considered violative of the statute. Wyden’s letter essentially asks the agency to consider whether Microsoft’s defaults and policy of disclosure about legacy encryption, identity hardening and ransomware pathways meet that bar for enterprise software that underpins hospitals, government agencies and critical infrastructure.
Regulatory pressure has been building. The federal Cyber Safety Review Board delivered a scathing verdict on Microsoft’s recent culture of security, transparency and engineering rigor after nation-state intrusions. That backdrop makes an FTC review seem more possible, particularly based on the real world damage when identity systems are breached in health care settings.
Healthcare Stakes and Scale
Ransomware in health care does not pose a theoretical risk; it is holding up surgeries, interrupting pharmacy work and sending doctors back to their pencils and paper. The Ascension episode is one of the largest recent examples, sweeping in millions of patients and networks in care across multiple states.
Hospitals use a great deal of Microsoft’s identity and collaboration technology, so that misconfigurations or risky cryptographic defaults can percolate up to systemic vulnerabilities. HHS and CISA have issued repeated alerts about identity attacks—phishing, token theft, and Kerberos abuse—as one of the most frequent early stages in healthcare ransomware.
What Security Teams Can Do Now
As regulators argue about who will be held to account, defenders can reduce the prevalence of risk in a hurry. The disabling of RC4 for Kerberos where desired, and pushing the usage of AES-based encryption, closes one of the primary roads for a Kerberoast. It requires that service account passwords be rotated and lengthened (ideally to 24 characters or more), kept in a vault and updated automatically, which increases the cost of offline cracking.
Companies must utilise Group Managed Service Accounts AAD Admins around the world should not be allowed to type passwords, or to pick them. Companies deploying GMAs with strict PAM mechanisms – and big data monitoring for abnormal “golden tickets” requests can scale the human out of passwording misery.
Rotating KRBTGT, dividing domain controllers and enforcing phishing-resistant MFA are additional defenses against lateral movement.
The larger issue is whether secure-by-default settings—especially as they relate to cryptography and identity—should be optional or required in products that are the foundation of critical infrastructure. Wyden has called for the FTC to weigh in. High-wire hospitals and other high-risk operators can measure the cost of waiting not only in incident response hours, but also — more importantly — in patient safety.