U.S. hospital system suffers hacker attack, senator urges FTC to investigate Microsoft's cybersecurity vulnerabilities
U.S. Senator Ron Wyden accused Microsoft of having cybersecurity vulnerabilities that led to ransomware attacks on U.S. hospital systems and called for an FTC investigation. Wyden pointed out that Microsoft uses the insecure RC4 encryption technology, allowing hackers to easily breach systems, resulting in the shutdown of computer systems at several hospitals, including the Ascension healthcare system, affecting the data of over 5 million patients. Although Microsoft stated that it is gradually phasing out RC4, Wyden believes that most customers still face risks
According to the Zhitong Finance APP, Ron Wyden, a Democratic senator from Oregon, has written to Federal Trade Commission (FTC) Chairman Andrew Ferguson, publicly accusing Microsoft Corporation (MSFT.US) of having significant cybersecurity vulnerabilities that have led to ransomware attacks on U.S. hospital systems, and has called for an investigation by the FTC.
The senator from Oregon accused Microsoft of "serious cybersecurity negligence," stating that this negligence has resulted in ransomware attacks targeting critical infrastructure in the United States. In his letter, he cited the 2024 incident involving the Asante health system: as one of the largest nonprofit healthcare systems in the U.S., Asante was forced to shut down multiple hospital computer systems due to a hacker attack, leading to the suspension of surgeries and the leakage of sensitive data from over 5 million patients.
Wyden's office investigation found that the attack began when Bing returned a malicious link to a contractor, who clicked on it and became infected, allowing hackers to infiltrate the Asante network. They then exploited the insecure RC4 encryption technology, which is supported by default in Windows systems, using Kerberoasting techniques to crack privileged account passwords, ultimately leading to system intrusion.
Wyden emphasized that Microsoft's long-term use of "old and insecure" RC4 encryption technology has allowed hackers to easily crack account passwords, and that the company has concealed this dangerous decision from its enterprise and government clients. He pointed out that this negligence means "a single employee clicking a link can trigger ransomware infection across the entire organization," and that Microsoft not only failed to effectively prevent the attack but also allowed "the proliferation of ransomware triggered by dangerous software."
Although Microsoft spokesperson David Cuddy responded that RC4 is an "old standard," accounting for less than 0.1% of its traffic, and that the company is gradually reducing its use by customers and plans to disable this technology by default in new installations of Active Directory systems starting in 2026, Wyden believes that the vast majority of Microsoft customers are still exposed to attack risks.
It is worth noting that this is not Wyden's first criticism of Microsoft. In July 2024, he had already raised concerns about Kerberos security issues with Microsoft executives, prompting the company to publish a technical blog in October of that year to guide organizations in preventing attacks and announcing the development of an update to disable RC4.
However, this update has yet to be officially released, leaving government agencies, nonprofit organizations, and other clients likely still vulnerable to hacker techniques. Wyden warned that if the FTC does not take action, Microsoft's "neglect of cybersecurity corporate culture" and "de facto monopoly position in the operating system market" will pose a national security threat, making more hacker attacks inevitable.
The FTC declined to comment, and Asante also did not respond to interview requests
