U.S. Senator Ron Wyden has called on the Federal Trade Commission (FTC) to investigate Microsoft for what he terms “gross cybersecurity negligence,” accusing the tech giant of knowingly shipping its Windows operating system with a dangerously outdated form of encryption that has enabled devastating ransomware attacks on U.S. critical infrastructure, including major healthcare systems.
In a letter addressed to FTC Chair Andrew N. Ferguson on September 10, 2025, Senator Wyden argued that Microsoft’s insecure default settings have created a fertile ground for cybercriminals, directly threatening U.S. national security.
The letter highlights a hacking technique known as “Kerberoasting,” which exploits Microsoft’s continued support for RC4, an obsolete encryption technology developed in the 1980s.
While modern and secure encryption standards like the Advanced Encryption Standard (AES) are available, Microsoft has not made them the default requirement in its widely used Active Directory software.
The Ascension Ransomware Attack
The letter details a 2024 ransomware attack on Ascension, one of the largest non-profit health systems in the United States, as a prime example of Microsoft’s alleged failures.
The incident began when a contractor clicked on a malicious link from a Microsoft Bing search result, inadvertently downloading malware.
From this single entry point, hackers moved across Ascension’s network and used the Kerberoasting technique to exploit the weak RC4 encryption in the organization’s Microsoft Active Directory server.
This allowed them to gain administrative privileges, deploy ransomware across thousands of computers, and steal the sensitive data of 5.6 million patients.
The attack severely disrupted Ascension’s ability to provide patient care.
Senator Wyden’s office stated it had urged senior Microsoft officials in July 2024 to issue clear warnings about the threat posed by Kerberoasting.
In response, Microsoft published a highly technical blog post in October 2024, recommending mitigation steps and promising a future software update to disable the vulnerable RC4 encryption.
However, Wyden criticized the company’s disclosure as inadequate, noting it was posted on an obscure part of its website without meaningful publicity.
Furthermore, eleven months later, the promised security update has yet to be released, leaving countless organizations vulnerable.
The Senator pointed out the hypocrisy of Microsoft’s inaction, as U.S. cybersecurity agencies, including CISA, the FBI, and the NSA, have all issued public guidance specifically warning against Kerberoasting and advising the disabling of RC4 encryption.
A comprehensive guide from CISA and the NSA, authored by Australian national security agencies in September 2024, identified Kerberoasting as the top threat against Microsoft’s Active Directory software.
Wyden also referenced a Cyber Safety Review Board report that found Microsoft’s security culture “inadequate and requires an overhaul,” a finding that followed a major hack of U.S. government agencies by China in July 2023.
The Senator concluded by accusing Microsoft of profiting from its own insecure products by selling add-on cybersecurity services, comparing the company to “an arsonist selling firefighting services to their victims.”
He urged the FTC to take immediate action to hold Microsoft accountable for its monopolistic and negligent practices.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
