Senator blasts Microsoft for making default Windows vulnerable to “Kerberoasting”

A leading U.S. Senator has urged the Federal Trade Commission to launch an investigation into Microsoft, accusing the tech giant of severe cybersecurity oversights. Senator Ron Wyden (D–Ore.) highlighted concerns over Microsoft's reliance on outdated encryption methods in Windows, particularly in light of a significant ransomware attack in 2024 that compromised the healthcare provider Ascension, resulting in the leakage of medical records for 5.6 million individuals. In a letter addressed to FTC Chairman Andrew Ferguson, Wyden emphasized that the default use of the RC4 encryption cipher was a critical factor in the breach. This marks the second occasion in recent years that Wyden has criticized Microsoft's cybersecurity approach as negligent. He stated, "Due to perilous software engineering decisions by Microsoft, which have largely remained obscured from both corporate and governmental clients, a single click by an employee can lead to a widespread ransomware incident within an organization." Wyden's letter underscored the urgency of the matter, asserting that Microsoft has failed to mitigate the ransomware threat exacerbated by its software vulnerabilities. The RC4 cipher, originally created by cryptographer Ron Rivest in 1987, has been recognized as insecure since its vulnerabilities became publicly known in the mid-1990s. Despite attempts to phase it out, Microsoft still utilizes RC4 as the default encryption method for Active Directory, a key Windows feature for managing user accounts in larger organizations. While alternatives exist, many users do not activate them, resulting in a fallback to the compromised Kerberos authentication method. In a recent blog post, cryptography expert Matt Green from Johns Hopkins University pointed out that the continued use of Kerberos in conjunction with RC4, along with frequent misconfigurations, leaves networks vulnerable to “kerberoasting.” This attack technique, which has been recognized since 2014, involves offline password-cracking methods aimed at Kerberos accounts lacking stronger encryption safeguards.