U.S. Senator Ron Wyden has known as on the Federal Commerce Fee (FTC) to research Microsoft for what he phrases “gross cybersecurity negligence,” accusing the tech big of knowingly delivery its Home windows working system with a dangerously outdated type of encryption that has enabled devastating ransomware assaults on U.S. crucial infrastructure, together with main healthcare programs.
In a letter addressed to FTC Chair Andrew N. Ferguson on September 10, 2025, Senator Wyden argued that Microsoft’s insecure default settings have created a fertile floor for cybercriminals, straight threatening U.S. nationwide safety.
The letter highlights a hacking approach referred to as “Kerberoasting,” which exploits Microsoft’s continued help for RC4, an out of date encryption know-how developed within the Eighties.
Whereas fashionable and safe encryption requirements just like the Superior Encryption Commonplace (AES) can be found, Microsoft has not made them the default requirement in its extensively used Energetic Listing software program.
The Ascension Ransomware Assault
The letter particulars a 2024 ransomware assault on Ascension, one of many largest non-profit well being programs in the US, as a chief instance of Microsoft’s alleged failures.
The incident started when a contractor clicked on a malicious hyperlink from a Microsoft Bing search outcome, inadvertently downloading malware.
From this single entry level, hackers moved throughout Ascension’s community and used the Kerberoasting approach to take advantage of the weak RC4 encryption within the group’s Microsoft Energetic Listing server.
This allowed them to achieve administrative privileges, deploy ransomware throughout hundreds of computer systems, and steal the delicate information of 5.6 million sufferers.
The assault severely disrupted Ascension’s capability to offer affected person care.
Senator Wyden’s workplace acknowledged it had urged senior Microsoft officers in July 2024 to concern clear warnings in regards to the risk posed by Kerberoasting.
In response, Microsoft revealed a extremely technical weblog put up in October 2024, recommending mitigation steps and promising a future software program replace to disable the susceptible RC4 encryption.
Nonetheless, Wyden criticized the corporate’s disclosure as insufficient, noting it was posted on an obscure a part of its web site with out significant publicity.
Moreover, eleven months later, the promised safety replace has but to be launched, leaving numerous organizations susceptible.
The Senator identified the hypocrisy of Microsoft’s inaction, as U.S. cybersecurity businesses, together with CISA, the FBI, and the NSA, have all issued public steerage particularly warning in opposition to Kerberoasting and advising the disabling of RC4 encryption.
A complete information from CISA and the NSA, authored by Australian nationwide safety businesses in September 2024, recognized Kerberoasting as the highest risk in opposition to Microsoft’s Energetic Listing software program.
Wyden additionally referenced a Cyber Security Evaluate Board report that discovered Microsoft’s safety tradition “insufficient and requires an overhaul,” a discovering that adopted a serious hack of U.S. authorities businesses by China in July 2023.
The Senator concluded by accusing Microsoft of taking advantage of its personal insecure merchandise by promoting add-on cybersecurity companies, evaluating the corporate to “an arsonist promoting firefighting companies to their victims.”
He urged the FTC to take speedy motion to carry Microsoft accountable for its monopolistic and negligent practices.
Discover this Story Attention-grabbing! Comply with us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates.
