Wyden Urges FTC to Investigate Microsoft Over Weak RC4 Encryption Enabling Kerberoasting

Senator Ron Wyden has formally requested the Federal Trade Commission investigate Microsoft for cybersecurity negligence that has enabled ransomware attacks against critical infrastructure organizations nationwide.

In a September 10 letter to FTC Chair Andrew Ferguson, Wyden detailed how Microsoft’s dangerous software engineering decisions have made Windows systems extremely vulnerable to sophisticated cyberattacks.

The senator’s investigation centered on the 2024 ransomware attack against Ascension, one of America’s largest non-profit healthcare systems.

According to Wyden’s findings, the attack began when an Ascension contractor clicked on a malicious link while using Microsoft’s Bing search engine through the Edge browser.

This single action ultimately compromised thousands of computers across the healthcare network and exposed sensitive data belonging to 5.6 million patients.

Kerberoasting Technique Exploits Outdated RC4 Encryption

The hackers successfully employed a technique called Kerberoasting to escalate their privileges within Ascension’s Microsoft Active Directory server.

This attack method specifically targets Microsoft’s continued default support for RC4 encryption technology, which dates back to the 1980s and has been widely recognized as insecure by federal agencies and cybersecurity experts for over a decade.

Despite Microsoft’s software supporting the Advanced Encryption Standard approved by the U.S. government, this superior encryption technology remains optional rather than required by default.

The vulnerability allows attackers who gain access to any computer on a corporate network to crack passwords of privileged administrator accounts, potentially leading to organization-wide ransomware infections.

Multiple U.S. cybersecurity agencies have issued warnings about Kerberoasting attacks.

The Cybersecurity and Infrastructure Security Agency published guidance for healthcare organizations in December 2023, while CISA, the FBI, and NSA issued joint warnings about Iranian cyber threats specifically mentioning Kerberoasting in October 2024.

Additionally, a comprehensive 68-page defense guide co-issued by CISA and NSA in September 2024 lists Kerberoasting as the primary threat against Microsoft Active Directory systems.

Wyden’s office contacted senior Microsoft officials in July 2024, urging the company to warn customers about Kerberoasting vulnerabilities.

While Microsoft published a technical blog post in October 2024 and promised a security update to disable RC4 encryption, the company has failed to deliver the promised update eleven months later.

 The senator criticized Microsoft’s minimal effort to publicize the guidance, noting the technical blog post was buried on an obscure website section on a Friday afternoon without meaningful promotion.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.