A leading U.S. senator has requested that the Federal Trade Commission (FTC) launch an inquiry into Microsoft, citing what he has termed “gross cybersecurity negligence.” This call to action stems from concerns regarding the company’s continued reliance on the outdated RC4 encryption method, which is set as the default in Windows systems.
In a recent correspondence to FTC Chairman Andrew Ferguson, Senator Ron Wyden (D–Oregon) emphasized that his office’s investigation into the significant 2024 ransomware attack on healthcare provider Ascension directly linked the breach to Microsoft’s use of the RC4 cipher. This incident resulted in the unauthorized access to sensitive medical records belonging to approximately 5.6 million patients.
This marks the second consecutive year that Wyden has pointed to Microsoft’s security measures, labeling them as negligent. He underscored in his letter that the consequences of these “dangerous software engineering decisions” could allow a single employee at a healthcare facility or similar organization to inadvertently trigger a widespread ransomware incident by merely clicking on a malicious link. Wyden criticized Microsoft for failing to address the escalating threat of ransomware that has proliferated due to vulnerabilities in its software.
The RC4 cipher, developed by mathematician Ron Rivest in 1987, has long been opposed by the cybersecurity community due to its known weaknesses. After being publicly disclosed in 1994, it was soon found to be susceptible to cryptographic attacks. While more secure alternatives have since become available, RC4’s integration into various protocols, including SSL and TLS, persisted until around a decade ago.
Despite the risks associated with RC4, Microsoft continues to position it as the default encryption method for Active Directory, a critical Windows component for managing user accounts within large organizations. Although Windows provides options for stronger encryption methods, many users do not activate them, resulting in a fallback to the inherently insecure Kerberos authentication mechanism.
Cybersecurity expert Matt Green from Johns Hopkins University noted that the ongoing reliance on Kerberos and the weak RC4 cipher, coupled with common misconfigurations that inadvertently grant non-administrative users access to sensitive Active Directory functions, creates vulnerabilities to “kerberoasting.” This attack method, known since 2014, exploits weak configurations to allow attackers to perform offline password cracking against accounts protected by Kerberos.
Given this context, relevant tactics from the MITRE ATT&CK framework that could have been employed in such an attack include initial access, where an attacker gains entry through phishing or exploit techniques, followed by persistence strategies for maintaining access, and privilege escalation to gain further control over compromised systems. The continual use of insecure encryption practices raises serious questions about organizational security and the potential ramifications of cyber breaches in today’s increasingly digital landscape.
