Ethical Hacking News
U.S. Senator Ron Wyden has called on the Federal Trade Commission (FTC) to probe Microsoft for "gross cybersecurity negligence" that enabled ransomware attacks on U.S. critical infrastructure, including against healthcare networks. The investigation comes amid concerns over Microsoft's use of insecure default settings and its de facto monopolization of the enterprise operating system market.
MICROSOFT FACES SCRUTINY OVER CYBERSECURITY NEGLIGENCE Senator Ron Wyden calls for an investigation into Microsoft's culture of negligent cybersecurity practices. The company is accused of using "dangerously insecure default settings" in its software, allowing attackers to access sensitive information. A breach on a healthcare system resulted in the theft of personal and medical information from nearly 5.6 million individuals. Microsoft's use of RC4 encryption technology is criticized for being outdated and insecure. The company has published an alert and plans to deprecate support for RC4, but Senator Wyden argues it is insufficient. The investigation sparks a wider conversation about the balance between legacy system support and secure-by-default design in enterprise software ecosystems.
Microsoft, the tech giant behind Windows operating systems and other popular software, has been under scrutiny recently due to allegations of gross cybersecurity negligence that enabled ransomware attacks on U.S. critical infrastructure. In a four-page letter sent to Federal Trade Commission (FTC) Chairman Andrew Ferguson, Senator Ron Wyden of Oregon called for an investigation into Microsoft's culture of negligent cybersecurity practices.
Senator Wyden likened Microsoft to an "arsonist selling firefighting services" to their victims, emphasizing the company's de facto monopolization of the enterprise operating system market as a serious national security threat. This critique comes in light of a crippling ransomware attack on Ascension, a healthcare system that suffered a breach resulting in the theft of personal and medical information associated with nearly 5.6 million individuals.
The investigation is sparked by allegations that Microsoft's software was used to leverage "dangerously insecure default settings" on the company's own products, allowing attackers to obtain elevated access to the most sensitive parts of Ascension's network. According to Senator Wyden's office, the breach occurred when a contractor clicked on a malicious link after conducting a web search on Microsoft's Bing search engine, causing their system to be infected with malware.
The attackers then leveraged a technique called Kerberoasting that targets the Kerberos authentication protocol to extract encrypted service account credentials from Active Directory. This technique exploits an insecure encryption technology from the 1980s known as 'RC4' that is still supported by Microsoft software in its default configuration. RC4, short for Rivest Cipher 4, was developed in 1987 and originally intended to be a trade secret. However, it was leaked in a public forum in 1994.
Eventually, the Engineering Task Force (ETF) has prohibited the use of RC4 in TLS, citing a "variety of cryptographic weaknesses" that allow plaintext recovery. Despite this, Microsoft's software still uses RC4 as its default configuration, which Senator Wyden's office described as an example of gross negligence on Microsoft's part.
Microsoft eventually published an alert in October 2024 outlining the steps users can take to stay protected from such threats, in addition to stating its plans to deprecate support for RC4 as a future update to Windows 11 24H2 and Windows Server 2025. However, Senator Wyden argues that these measures are insufficient and demand more immediate action.
The development comes amid concerns over the increasing use of ransomware attacks on U.S. critical infrastructure, including healthcare networks. The breach at Ascension has been ranked as the third-largest healthcare-related incident over the past year by the U.S. Department of Health and Human Services.
Senator Wyden's office has urged Microsoft to warn customers about the threat posed by this type of attack, but so far, no such warning has been issued. This lack of transparency and proactive measures has raised concerns among lawmakers and cybersecurity experts, who argue that it is not enough for companies like Microsoft to issue post-breach responses.
Instead, these individuals advocate for secure-by-default design practices in software systems and a more proactive approach to identifying and addressing vulnerabilities before they are exploited by attackers. Senator Wyden's call for an investigation into Microsoft's cybersecurity practices highlights the need for greater accountability from tech giants and calls for a renewed focus on ensuring that security is prioritized throughout the development process.
The investigation into Microsoft's culture of negligent cybersecurity practices has sparked a wider conversation about the balance between legacy system support and secure-by-default design in enterprise software ecosystems. Ensar Seker, CISO at SOCRadar, stated that "this isn't about blaming one company. It's about recognizing that national security is now tightly coupled with the configuration defaults of dominant IT platforms."
Ultimately, the issue highlights the need for enterprises and public sector agencies to demand more secure-by-design defaults from software vendors and be prepared to adapt when new vulnerabilities are discovered.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Dark-Side-of-Microsoft-US-Senator-Ron-Wyden-Calls-for-FTC-Probe-Amidst-Ransomware-Linked-Cybersecurity-Negligence-ehn.shtml
https://thehackernews.com/2025/09/senator-wyden-urges-ftc-to-probe.html
Published: Thu Sep 11 12:08:25 2025 by llama3.2 3B Q4_K_M
