Senator Calls for FTC Investigation into Microsoft\u2019s Use of Outdated RC4 Encryption and Kerberoasting Vulnerabilities
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
U.S. Senator Ron Wyden has called on the Federal Trade Commission (FTC) to investigate Microsoft for what he terms \u201cgross cybersecurity negligence,\u201d accusing the tech giant of knowingly shipping its Windows operating system with a dangerously outdated form of encryption that has enabled devastating ransomware attacks on U.S. critical infrastructure, including major healthcare systems.<\/p>\n
In a letter addressed to FTC Chair Andrew N. Ferguson on September 10, 2025, Senator Wyden argued that Microsoft\u2019s insecure default settings have created a fertile ground for cybercriminals, directly threatening U.S. national security. <\/p>\n
The letter highlights a hacking technique known as \u201cKerberoasting<\/a>,\u201d which exploits Microsoft\u2019s continued support for RC4, an obsolete encryption technology developed in the 1980s.<\/p>\n While modern and secure encryption standards like the Advanced Encryption Standard (AES) are available, Microsoft has not made them the default requirement in its widely used Active Directory<\/a> software.<\/p>\n The letter details a 2024 ransomware attack on Ascension, one of the largest non-profit health systems in the United States, as a prime example of Microsoft\u2019s alleged failures. <\/p>\n The incident began when a contractor clicked on a malicious link from a Microsoft Bing search result, inadvertently downloading malware. <\/p>\n From this single entry point, hackers moved across Ascension\u2019s network and used the Kerberoasting technique to exploit the weak RC4 encryption in the organization\u2019s Microsoft Active Directory server. <\/p>\n This allowed them to gain administrative privileges, deploy ransomware<\/a> across thousands of computers, and steal the sensitive data of 5.6 million patients.<\/p>\n The attack severely disrupted Ascension\u2019s ability to provide patient care.<\/p>\n Senator Wyden\u2019s office stated<\/a> it had urged senior Microsoft officials in July 2024 to issue clear warnings about the threat posed by Kerberoasting.<\/p>\n In response, Microsoft published a highly technical blog post in October 2024, recommending mitigation steps and promising a future software update to disable the vulnerable RC4 encryption. <\/p>\n However, Wyden criticized the company\u2019s disclosure as inadequate, noting it was posted on an obscure part of its website without meaningful publicity. <\/p>\n Furthermore, eleven months later, the promised security update has yet to be released, leaving countless organizations vulnerable.<\/p>\n The Senator pointed out the hypocrisy of Microsoft\u2019s inaction, as U.S. cybersecurity agencies, including CISA, the FBI, and the NSA, have all issued public guidance specifically warning against Kerberoasting and advising the disabling of RC4 encryption. <\/p>\n A comprehensive guide from CISA and the NSA, authored by Australian national security agencies in September 2024, identified Kerberoasting as the top threat against Microsoft\u2019s Active Directory software. <\/p>\n Wyden also referenced a Cyber Safety Review Board report that found Microsoft\u2019s security culture \u201cinadequate and requires an overhaul,\u201d a finding that followed a major hack of U.S. government agencies by China in July 2023. <\/p>\n The Senator concluded by accusing Microsoft of profiting from its own insecure products by selling add-on cybersecurity services, comparing the company to \u201can arsonist selling firefighting services to their victims.\u201d <\/p>\n He urged the FTC to take immediate action to hold Microsoft accountable for its monopolistic and negligent practices.<\/p>\n Find this Story Interesting! Follow us on Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>.<\/p>\n The post Senator Calls for FTC Investigation into Microsoft\u2019s Use of Outdated RC4 Encryption and Kerberoasting Vulnerabilities<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nThe Ascension Ransomware Attack<\/strong><\/h2>\n