Full Report
U.S. Senator Ron Wyden has sent a letter to the Federal Trade Commission (FTC) requesting the agency to investigate Microsoft for failing to provide adequate security in its products, which led to ransomware attacks against healthcare organizations. [...]
Analysis Summary
# Incident Report: Ascension Health Ransomware Attack Linked to Microsoft Kerberoasting Vulnerability
## Executive Summary
A major ransomware attack on Ascension Health in May 2024, compromising 5.6 million patient records, has been linked by U.S. Senator Ron Wyden to alleged "gross cybersecurity negligence" by Microsoft regarding the continued default support for the weak Kerberos RC4 encryption algorithm. The attack utilized a Kerberoasting technique enabled by user error, leading to lateral movement and significant data exfiltration. Senator Wyden is urging the FTC to investigate Microsoft’s failure to adequately secure its products against well-documented risks.
## Incident Details
- Discovery Date: May 2024 (Date of the Ascension Health breach)
- Incident Date: May 2024
- Affected Organization: Ascension Health
- Sector: Healthcare
- Geography: U.S.
## Timeline of Events
### Initial Access
- Date/Time: May 2024
- Vector: User Click / Phishing (via malicious Bing Search result in Microsoft Edge)
- Details: A contractor clicked a malicious Bing Search result while using Microsoft Edge, leading to initial compromise.
### Lateral Movement
- **Technique:** Kerberoasting attack, which exploited the presence of the weak/deprecated RC4 encryption algorithm within Kerberos settings.
- **Details:** Attackers used Kerberoasting to steal encrypted service account credentials from Active Directory. They then decrypted these credentials (due to RC4 weakness) to escalate privileges and move laterally across the network.
### Data Exfiltration/Impact
- **Impact:** Compromise of data belonging to 5.6 million patients. The attack was a ransomware incident, implying operational disruption (though disruption details are not specified).
### Detection & Response
- **Detection:** The extent of the data breach became public following the attack.
- **Response actions taken:** Senator Wyden's team engaged Microsoft in July 2024 to report the danger of RC4. Microsoft later published a highly technical blog post in October 2024 addressing the issue but failing to clearly warn decision-makers.
## Attack Methodology
- Initial Access: Credential theft initiated by user interaction with a malicious web result (Bing Search/Edge).
- Persistence: Implicitly achieved through stolen service account credentials allowing prolonged unauthorized access.
- Privilege Escalation: Achieved by decrypting service account credentials obtained via Kerberoasting, leveraging weak RC4 encryption.
- Defense Evasion: Not explicitly detailed, but misuse of a legacy protocol feature (RC4) allowed the attack to proceed undetected past initial security measures.
- Credential Access: Kerberoasting (stealing service account tickets/hashes).
- Discovery: Not explicitly detailed, but necessary to map the network for lateral movement.
- Lateral Movement: Achieved using escalated service account privileges.
- Collection: Data related to 5.6 million patients was gathered prior to exfiltration.
- Exfiltration: Successful exfiltration of patient data occurred as part of the ransomware incident.
- Impact: Ransomware deployment and patient data breach.
## Impact Assessment
- Financial: Not specified, but significant due to a large-scale healthcare data breach.
- Data Breach: Data of 5.6 million patients compromised.
- Operational: Implied significant disruption due to the nature of a ransomware attack on a major healthcare organization's infrastructure.
- Reputational: High reputational damage to Ascension Health and external scrutiny on Microsoft regarding product security.
## Indicators of Compromise
- **Network indicators - defanged:** (None explicitly provided in the text, beyond the mechanism of Kerberoasting).
- **File indicators:** (None explicitly provided).
- **Behavioral indicators:** Use of Kerberoasting post-compromise to target service accounts configured with RC4 encryption.
## Response Actions
- **Containment:** (Not detailed in the public report regarding clinical response).
- **Eradication:** (Not detailed).
- **Recovery:** (Not detailed).
- **External Action:** Senator Wyden requested an investigation by the Federal Trade Commission (FTC). Microsoft acknowledged the issue and stated RC4 makes up less than 0.1% of their traffic but is kept for legacy support.
## Lessons Learned
- Legacy configuration defaults (like retaining RC4 support in Kerberos) introduce critical, persistent risk even when mitigating newer threats.
- A successful Kerberoasting attack chain relies on both user error (initial access) and underlying platform vulnerabilities (weak encryption defaults).
- Technical advisories (blog posts) may fail to effectively communicate urgent security risks to organizational decision-makers.
## Recommendations
- Microsoft should accelerate the timeline for disabling weak cryptographic standards like RC4 by default, prioritizing security over backward compatibility for older systems when major security risks are known.
- Organizations must actively audit and disable deprecated or weak encryption standards like RC4 within Active Directory configurations immediately.
- Implement strong security awareness training focused on identifying malicious search results or links, as initial access often begins with seemingly benign user actions.