Senator Wyden Urges FTC to Investigate Microsoft Over Cybersecurity Lapses
U.S. Senator Ron Wyden has implored the Federal Trade Commission (FTC) to investigate Microsoft, citing what he describes as “outrageous cybersecurity negligence” that has facilitated ransomware attacks targeting the nation’s critical infrastructure, particularly healthcare networks.
In a comprehensive four-page letter addressed to FTC Chairman Andrew Ferguson, Wyden expressed grave concerns, asserting that Microsoft’s negligence, compounded by its dominance in the enterprise operating system market, constitutes a significant national security threat. He likened the company to “an arsonist selling firefighting services to their victims.”
This call to action arises in the wake of new revelations concerning Ascension, a healthcare system that endured a devastating ransomware assault last year. This attack resulted in the unauthorized acquisition of personal and medical information of approximately 5.6 million individuals.
The breach, which severely hindered access to electronic health records, was executed by a ransomware organization known as Black Basta. The U.S. Department of Health and Human Services has classified this incident as the third-largest healthcare breach recorded in the past year.
According to Senator Wyden’s office, the ransomware infiltration occurred when a contractor fell victim to a malicious link during a web search via Microsoft’s Bing search engine, which allowed the attackers to infiltrate systems using “dangerously insecure default settings” present in Microsoft software.
The perpetrators exploited a method known as Kerberoasting, which targets the Kerberos authentication protocol to extract encrypted service account credentials from Active Directory. This technique takes advantage of outdated encryption technology, specifically “RC4,” still supported by Microsoft as a default configuration.
Kerberoasting leverages a cipher from the 1980s that, despite its vulnerabilities, remains in use. Senator Wyden’s office indicated that Microsoft should have alerted its customers to the associated risks, particularly on July 29, 2024.
RC4, or Rivest Cipher 4, was originally confidential when first developed in 1987, but became public knowledge in 1994. The Internet Engineering Task Force (IETF) subsequently banned its usage in TLS protocols as of 2015, citing numerous cryptographic flaws that undermine data security.
In response to these issues, Microsoft issued a security advisory in October 2024, detailing protective measures for users, and announced plans to phase out RC4 from future updates for Windows 11 24H2 and Windows Server 2025.
The accounts particularly susceptible to Kerberoasting include those with weak passwords and those employing outdated encryption algorithms, especially RC4. Its lack of salt or iterative hashing simplifies the password guessing process for cyber adversaries.
Nonetheless, other encryption methodologies remain vulnerable when utilized with weak passwords. Although Active Directory does not use RC4 by default, its current status allows cybercriminals to request tickets encrypted with this cipher.
Microsoft, having already revoked support for the Data Encryption Standard (DES) in Kerberos for Windows Server 2025 and Windows 11 versions early this year, highlighted improvements that prevent the Kerberos Distribution Center from issuing Ticket Granting Tickets utilizing RC4 encryption.
To bolster defenses against Kerberoasting, Microsoft recommends the following strategies:
- Employing Group Managed Service Accounts (gMSA) or Delegated Managed Service Accounts (dMSA) wherever feasible
- Implementing strong, randomly generated passwords for service accounts, advised to be a minimum of 14 characters
- Ensuring all service accounts leverage AES (128 and 256-bit) encryption for Kerberos service tickets
- Conducting regular audits of user accounts linked to Service Principal Names (SPNs)
Nonetheless, Senator Wyden pointed out that Microsoft’s software does not enforce a mandatory 14-character password policy for privileged accounts. He criticized the continued reliance on insecure RC4 encryption technology, stating it “unnecessarily endangers” customers by facilitating password breaches for privileged accounts.
The Hacker News has reached out to Microsoft for comments on these allegations, and updates will follow upon a response. This scrutiny is not unprecedented for the software giant; last year, the U.S. Cyber Safety Review Board (CSRB) condemned Microsoft for a series of preventable oversights that enabled cyber intrusions by the Chinese group known as Storm-0558, affecting 22 organizations globally.
“Ultimately, Microsoft’s poor cybersecurity record has produced no repercussions regarding its substantial federal contracts, owing to its extensive market control and inaction from governmental bodies in response to its security inadequacies,” Wyden’s office contended.
Ensar Seker, CISO at SOCRadar, articulated that this situation encapsulates a longstanding dilemma in enterprise cybersecurity: balancing legacy system support with a secure-by-default ethos. He emphasized that when a single vendor supports vital national infrastructure, their security configurations can lead to widespread ramifications.
“This conversation is not solely about attributing blame to one entity. It’s imperative to recognize that national security is intricately linked to the configuration defaults of predominant IT platforms. Both corporate entities and public sector agencies must advocate for more secure-by-design defaults and remain adaptable to improvements as they emerge,” he concluded.
Source link: Thehackernews.com.
