U.S. Senator Ron Wyden, a longtime critic of Microsoft and its security measures, is again asking federal regulators to investigate the IT giant, accusing it of “delivering dangerous, insecure software” that has made U.S. government agencies and critical infrastructure firms open to ransomware and other cyberattacks.

In a letter this week to Andrew Ferguson, chair of the Federal Trade Commission (FTC), the Oregon Democrat said the default settings in Windows – which include configurations – make the widely used operating system “incredibly vulnerable to ransomware infections.”

“Because of dangerous software engineering decisions by Microsoft, which the company has largely hidden from its corporate and government customers, a single individual at a hospital or other organization clicking on the wrong link can quickly result in an organization-wide ransomware infection,” Wyden wrote in the four-page letter. “Microsoft has utterly failed to stop or even slow down the scourge of ransomware enabled by its dangerous software.”

He pointed to the ransomware attack last year on Ascension, the large nonprofit healthcare system, as an example of Microsoft’s lax security standards. The incident disrupted operations throughout its network of hospitals in the United States and allowed the threat actors to steal the sensitive data of 5.6 million patients, the senator wrote.

In interviews with Wyden’s staff, Ascension officials said that a contractor using a company-issued laptop while searching via Microsoft’s Bing engine clicked on a malicious link in one of the search results. The malware was downloaded onto the laptop, and the bad actors to move laterally through Ascension’s network, gain administrator privileges to Active Directory (AD) accounts, and use those privileges to deploy ransomware to thousands of other computers.

Enabling Kerberoasting

The hackers used the Kerberoasting technique to access privileged accounts on the AD server, Wyden wrote. In Kerberoasting, bad actors exploit the Kerberos authentication protocol to access service account credentials, giving them wider access into a target’s networks.

Wyden blamed Microsoft’s default support of an older and insecure encryption technology, RC4, rather than the more secure AES256 as the key reason the attackers were able to launch their attack.

“Microsoft’s continued support for the ancient, insecure RC4 encryption technology needlessly exposes its customers to ransomware and other cyber threats by enabling hackers that have gained access to any computer on a corporate network to crack the passwords of privileged accounts used by administrators,” he wrote. “According to Microsoft, this threat can be mitigated by setting long passwords that are at least 14 characters long, but Microsoft’s software does not require such a password length for privileged accounts.”

Winding Down Use of RC4

Microsoft for years has discouraged organization from using RC4 and has published steps for disabling it. A spokesperson for the vendor told Reuters that RC4 makes up less than .1% of its traffic and that it will be disabled by default in certain Windows products beginning in the first quarter next year. There also will be “additional mitigations” for deployments that still use it.

“However, disabling its use completely would break many customer systems,” the spokesperson said.

The problem is that despite myriad examples of poor cybersecurity practices, the U.S. government, critical infrastructure companies, corporations, and nonprofits “have no choice but to continue to use the company’s software, even after they are hacked, because of Microsoft’s near-monopoly over enterprise IT,” Wyden wrote.

Ongoing Concern

This isn’t Wyden’s first run-in with Microsoft. The senator in 2023 sent a letter to CISA, the FTC, and the U.S. Attorney General’s Office urging them to hold Microsoft accountable for the hack by a Chinese threat group, Storm-0558, which stole a Microsoft signing key and hacked its way into Microsoft 365 and Exchange Online accounts, stealing email from government and corporate accounts.

Later that year, in the wake of the attack by Storm-0558, Microsoft launched its Secure Future Initiative, a broad effort to make security a key part of everything that the company does by ensuring that security comes first when designing a product or service, that protections are enabled and enforced by default, and that security controls and monitoring are continuously improved. The company released its latest report on the initiative in April.

That said, Wyden in his latest letter said Microsoft is still falling behind on cybersecurity, pointing to other Chinese-nexus threat groups exploiting two zero-day vulnerabilities in SharePoint – creating what been called the “ToolShell” vulnerability chain – to steal sensitive information from government agencies and corporations.

Focusing on Services, Not Security

He accused Microsoft of building up a multibillion-dollar cybersecurity business of add-on security services rather than delivering secure software, adding that “at this point, Microsoft has become like an arsonist selling firefighting services to their victims.”

“Without timely action, Microsoft’s culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable,” Wyden wrote.