Wyden calls on FTC to investigate Microsoft for ‘gross cybersecurity negligence’ in protecting critical infrastructure
Sen. Ron Wyden, D-Ore., on Wednesday called for the Federal Trade Commission to investigate Microsoft, saying the company’s default configurations are leaving customers vulnerable and contributing to ransomware, hacking and other threats.
That includes the 2024 Ascension hospital ransomware attack, which resulted in the theft of personal data, medical data, payment information, insurance information and government IDs for more than 5.6 million patients.
Wyden, whose staff interviewed or spoke with Ascension and Microsoft staff as part of the senator’s oversight, said the attack “perfectly illustrates” the negative consequences of Microsoft’s cybersecurity policies.
Ascension told Wyden’s staff that in February 2024, a contractor using one of the company’s laptops used Microsoft Bing’s search engine and Microsoft Edge, the default web browser that came with it. The contractor clicked on a phishing link, which infected the laptop and spread to Ascension’s broader network. The hackers gained administrative privilege to the company’s accounts through Active Directory, another Microsoft product that manages user accounts, and pushed ransomware “to thousands of other computers in the organization.”
Wyden noted in his letter to FTC Chair Andrew Ferguson that the hackers used a technique known as Kerberoasting to access privileged accounts on Ascension’s Active Directory server. This method takes advantage of weaknesses in encryption protocols that have been obsolete and vulnerable for decades.
“This hacking technique leverages Microsoft’s continued support by default for an insecure encryption technology from the 1980s called RC4 that federal agencies and cybersecurity experts, including experts working for Microsoft, have for more than a decade warned is dangerous,” Wyden wrote.
Still, organizations that rely on RC4 continue to be compromised through Kerberoasting. In 2023, the Cybersecurity and Infrastructure Security Agency warned about exploitation of RC4 and Kerberoasting in the health care sector. A year later, CISA, the FBI and the National Security Agency all warned that foreign countries like Iran were also exploiting the same technique to target American companies.
Wyden questioned why the company continued to support RC4, saying it “needlessly exposes its customers to ransomware and other cyber threats” and pointing out that better encryption technologies exist — like the Advanced Encryption Standard (AES) — that have federal government approval and could have better protected Microsoft customers.
While Microsoft has said the threat can be mitigated by setting long passwords that are at least 14 characters long, their default settings for privileged accounts do not require it.
In response to Wyden’s letter, a Microsoft spokesperson told CyberScoop that “RC4 is an old standard and we discourage its use both in how we engineer our software and in our documentation to customers – which is why it makes up less than .1% of our traffic.”
“However, disabling its use completely would break many customer systems,” the spokesperson wrote. “For this reason, we’re on a path to gradually reduce the extent to which customers can use it, while providing strong warnings against it and advice for using it in the safest ways possible.”
Wyden wrote that in conversations with his staff in 2024, Microsoft officials agreed to discontinue support for RC4, but have yet to do so nearly a year later.
Microsoft’s press office told CyberScoop that the company plans to have RC4 disabled by default in Active Directory installations starting Q1 of 2026. They also said that disabling RC4 more broadly is “on our roadmap” but did not provide a timetable for doing so.
But Wyden’s letter emphasized that he believed Microsoft, not the public, should bear the security burden of fixing the problem.
“Microsoft chooses the default settings, including the security features that are enabled automatically and the required security settings (e.g. minimum password length),” Wyden wrote, noting that while organizations can change those settings, “in practice, most do not.”
