US Senator Ron Wyden, D-Ore., on Wednesday despatched a letter to the Federal Commerce Fee (FTC), urging it to analyze Microsoft’s cybersecurity practices and maintain it accountable for gross negligence.
Microsoft’s safety lapses, the senator says, have led to ransomware assaults on vital infrastructure organizations, together with healthcare entities, placing affected person care in danger, and threatening nationwide safety.
In his letter (PDF) to FTC Chairman Andrew Ferguson, senator Wyden argues that Home windows, the broadly used working system that Microsoft has monopoly over, is “extremely weak to ransomware infections” in its default configuration.
In keeping with the letter, Microsoft has made “harmful software program engineering selections” that have been largely hidden from company and authorities clients. These lapses might result in an organization-wide ransomware an infection if a single particular person clicks on a malicious hyperlink.
That is precisely what occurred in Could 2024, when healthcare large Ascension was hacked, the senator’s employees realized: a contractor clicked on a malicious hyperlink from Bing search outcomes and contaminated their laptop computer with malware.
This allowed the hackers to maneuver laterally into Ascension’s community, acquire administrative privileges on the Lively Listing (AD) server, and push ransomware to hundreds of techniques inside the group, inflicting huge disruptions. The attackers additionally stole the non-public info of 5.6 million folks.
“The FTC’s mission to guard Individuals from misleading and unfair enterprise practices and promote honest competitors obligates the company to analyze Microsoft’s negligence in a market the place its dominance has profound, foundational affect on cybersecurity practices and to carry the corporate accountable for its shortcomings,” the senator says.
The senator’s letter additionally reveals that entry to Ascension’s AD server was obtained by way of Kerberoasting, an assault vector concentrating on the Kerberos authentication protocol to steal credentials, which is feasible as a result of Microsoft continues to assist the decades-old RC4 encryption algorithm.Commercial. Scroll to proceed studying.
“Microsoft’s continued assist for the traditional, insecure RC4 encryption know-how needlessly exposes its clients to ransomware and different cyber threats by enabling hackers which have gained entry to any laptop on a company community to crack the passwords of privileged accounts utilized by directors,” senator Wyden says.
In October 2024, after being contacted by the senator’s employees in July, Microsoft printed a technical weblog about Kerberoasting, noting it will deprecate RC4, however failed to obviously warn clients that they’re uncovered to the assault approach until they alter default settings in AD, the letter reads.
The Ascension hack and Kerberoasting, senator Wyden notes, are solely examples in an extended checklist of points brought on by Microsoft’s cybersecurity negligence. The Chinese language exploitation of SharePoint zero-days disclosed in July is one other instance.
Senator Wyden additionally factors out that this isn’t the primary time Microsoft’s cybersecurity lapses have surfaced. A Cyber Security Assessment Board (CSRB) evaluate of the 2023 Microsoft Change On-line hack revealed that the intrusion was the results of avoidable errors by Microsoft.
Moreover, the letter factors out that, as an alternative of integrating safety into its software program, Microsoft has constructed a multi-billion-dollar enterprise by promoting cybersecurity add-on providers.
“At this level, Microsoft has turn out to be like an arsonist promoting firefighting providers to their victims. And but authorities companies, firms, and nonprofits like Ascension don’t have any alternative however to proceed to make use of the corporate’s software program, even after they’re hacked, due to Microsoft’s near-monopoly over enterprise IT,” the senator says.
Senator Wyden urges the FTC to probe Microsoft and maintain it accountable for the intense hurt it has brought about by way of the insecure software program delivered to US authorities and important infrastructure entities, together with healthcare organizations.
“With out well timed motion, Microsoft’s tradition of negligent cybersecurity, mixed with its de facto monopolization of the enterprise working system market, poses a severe nationwide safety menace and makes further hacks inevitable,” the senator notes.
SecurityWeek has emailed Microsoft for a press release on the senator’s letter and can replace this text if the corporate responds.
“The letter underscores a long-standing rigidity in enterprise cybersecurity, the steadiness between legacy system assist and secure-by-default design. What occurred at Ascension isn’t nearly one dangerous click on or an outdated cipher. It’s about systemic danger inherited from default configurations and the architectural complexity of broadly adopted software program ecosystems like Microsoft’s. When a single vendor turns into foundational to nationwide infrastructure, their safety design selections, or lack thereof, can have cascading penalties,” SOCRadar CISO Ensar Seker mentioned.
“In the end, this isn’t about blaming one firm. It’s about recognizing that nationwide safety is now tightly coupled with the configuration defaults of dominant IT platforms. Enterprises and public sector companies alike must demand extra secure-by-design defaults and be able to adapt after they’re provided,” Seker added.
Associated: AI Provide Chain Assault Methodology Demonstrated Towards Google, Microsoft Merchandise
Associated: Ransomware Group Exploits Hybrid Cloud Gaps, Positive aspects Full Azure Management in Enterprise Assaults
Associated: Amazon Disrupts Russian Hacking Marketing campaign Focusing on Microsoft Customers
Associated: Organizations Warned of Vulnerability in Microsoft Change Hybrid Deployment
