In a detailed plea to the Federal Trade Commission, U.S. Senator Ron Wyden has called for an investigation into Microsoft's cybersecurity practices, highlighting what he perceives as serious lapses leading to ransomware attacks against critical U.S. infrastructure. This comes in light of fresh revelations from a security breach at the healthcare provider Ascension, which were recently uncovered by Wyden’s office. The breach, attributed to the ransomware group Black Basta, severely disrupted operations by compromising electronic health records.
The senator's concerns stem from the manner in which the breach occurred. It began with a contractor inadvertently clicking a malicious link while using Microsoft's Bing search engine. This action unleashed malware onto the system, which was subsequently exploited due to insecure default settings in Microsoft's software. The attackers leveraged a technique known as Kerberoasting, which took advantage of legacy encryption protocols like RC4 that were still enabled by default in some configurations.
Legacy Encryption Issues
Kerberoasting specifically exploited vulnerabilities in older encryption methods, notably RC4, a stream cipher known for its weaknesses. Despite awareness among security professionals of RC4's risks, it remained active in default configurations. While Microsoft has committed to removing DES for Kerberos and disabling RC4 by default in upcoming updates for its systems, the timeline for these updates raises concerns.
Microsoft has faced criticism for its handling of these vulnerabilities. Although it issued an alert in October 2024 about the forthcoming changes for Windows 11 24H2 and Windows Server 2025, Wyden argues that the company should have implemented these measures sooner. The senator's letter to the FTC pointedly criticizes Microsoft's decision to not enforcing longer, more secure passwords for privileged accounts, which leaves customers unnecessarily vulnerable to cyber threats.
Further recommendations from Microsoft included the use of Group Managed Service Accounts to manage passwords securely, configuring AES (128/256-bit) for Kerberos service ticket encryption, and conducting audits on accounts with Service Principal Names. Nevertheless, Wyden insists that Microsoft's continued allowance of insecure default settings represents a systemic risk that needs urgent addressing.
This call for investigation is not Microsoft's first brush with security-related criticisms. Past reports, including those from the U.S. Cyber Safety Review Board, have faulted the tech giant for security missteps, such as those leading to the Storm-0558 compromise. Security experts note that the lack of a secure-by-default design in such a widely used software vendor underscores a bigger issue within the industry.
As these debates unfold, Microsoft is now under increased scrutiny to demonstrate a commitment to security that matches its technological dominance. While the company promises improvements, the urgency of cybersecurity in safeguarding vital infrastructures cannot be overstated, making this a pressing issue for regulators and industry leaders alike.
