Wyden Says Microsoft Flaws Led to Hack of US Hospital System (bloomberg.com) 39
US Senator Ron Wyden says glaring cybersecurity flaws by Microsoft enabled a ransomware attack on a US hospital system and has called on the Federal Trade Commission to investigate. Bloomberg: In a letter sent Wednesday to FTC Chairman Andrew Ferguson, the Oregon Democrat accused Microsoft of "gross cybersecurity negligence," which he said had resulted in ransomware attacks against US critical infrastructure.
The senator cited the case of the 2024 breach at Ascension, one of the nation's largest nonprofit health systems. The intrusion shut down computers at many of Ascension's hospitals, leading to suspended surgeries and the theft of sensitive data on more than 5 million patients. Wyden said an investigation by his office found that the Ascension hack began after a contractor carried out a search using Microsoft's Bing search engine and was served a malicious link, which led to the contractor inadvertently downloading malware. That allowed hackers access to Ascension's computer networks.
According to Wyden, the attackers then gained access to privileged accounts by exploiting an insecure encryption technology called RC4, which is supported by default on Windows computers. The hacking method is called Kerberoasting, which the company described as a type of cyberattack in which intruders aim to gather passwords by targeting an authentication protocol called Kerberos.
The senator cited the case of the 2024 breach at Ascension, one of the nation's largest nonprofit health systems. The intrusion shut down computers at many of Ascension's hospitals, leading to suspended surgeries and the theft of sensitive data on more than 5 million patients. Wyden said an investigation by his office found that the Ascension hack began after a contractor carried out a search using Microsoft's Bing search engine and was served a malicious link, which led to the contractor inadvertently downloading malware. That allowed hackers access to Ascension's computer networks.
According to Wyden, the attackers then gained access to privileged accounts by exploiting an insecure encryption technology called RC4, which is supported by default on Windows computers. The hacking method is called Kerberoasting, which the company described as a type of cyberattack in which intruders aim to gather passwords by targeting an authentication protocol called Kerberos.
Is it really Microsoft's fault? (Score:3)
Well blaming Microsoft is usually the right move, in this case it appears to be more of a security blunder by the contractor, hell, why was he even running Windows? QubesOS is an objectively better choice for any high security setting, like a hospital, or health care network.
Re: (Score:2)
why was he even running Windows?
This is the "Fox News defense".
"It's not our fault because if someone's stupid enough to trust us, they deserve what they get."
Re: (Score:2)
why was he even running Windows?
This is the "Fox News defense".
"It's not our fault because if someone's stupid enough to trust us, they deserve what they get."
Well to be fair, he is a "Murdoch"
Re: (Score:2)
Re: (Score:2)
I like to Microsoft bash as much as the next Unix / Linux loving nerd, but, is this really their fault? It's possible to deploy containerization security standards on Windows, to make it high security, so, is the real issue the contractor didn't follow smart isolation? There is a real issue with data storage and data handling, but again, is that Microsoft's fault? The data should have been encrypted with something like AES-256-GCM, and every node in the network should have been closed tighter than a nuns nasty, requiring MFA.
Yes this is entirely Microsoft's fault rooted in their failure to ever deploy secure authentication mechanisms. Microsoft has only ever deployed some form of CHAP scheme for authentication well known to be universally vulnerable to offline brute force attacks. Microsoft knows full well most real world passwords lack sufficient entropy to withstand offline attack relative to available processing resources.
Yet they've persisted for decades all the while failing to deploy alternatives such as ZKP. This isn'
Re: (Score:2)
Re: Is it really Microsoft's fault? (Score:1)
Re: (Score:2)
Microsoft has only ever deployed some form of CHAP scheme Yet they've persisted for decades all the while failing to deploy alternatives such as ZKP.
While Microsoft themselves have not implemented ZKP specifically (yet), the rest of your statement(s) is false. Whether you like it or not, they've deployed plenty of other options. Windows supports FIDO2, EAP-TLS, Kerberos, Passkeys, etc. None of these are CHAP scheme, nor does it seem like the hospital used *any* of them. Plus, while Microsoft doesn't natively support ZKP (yet), they are working on it, and in the meantime there are 3rd party vendors that can implement it.
It's up to the IT staff to actuall
Re: (Score:2)
And now that I'm thinking about this story and remembering some of it, they were using Kerberos, and this malware was targeting it, but Microsoft released guidelines months beforehand on how to prevent Kerberoasting from succeeding. If they would have implemented the guidelines, the hack would have failed. Why was RC4 still enabled? They could turn it off at anytime (and a future update did default it to off). Why weren't they using gMSA or dMSA? No one seems to know. Either way, the hack was preventable, M
Re: (Score:3)
Yes. it is Microsofts fault. Something sold commercially as a "modern" OS must be able to survive reasonably well (unless misconfigured) when connected to the Internet. And still using RC4 these days? That is negligence that could not be any more gross.
Re: (Score:2)
The hospital could have turned Rc4 off at any time.
Re: (Score:2)
Re: (Score:2)
You know, that you even need that VM isolation (and I agree, Windows needs it) is a rather strong sign of fundamental unfitness for purpose. You do not need that isolation on Linux, the xBSDs or any commercial Unix. Only Windows is so fragile and insecure that it basically has become a best practice to do VM-based isolation. for it.
Funny! (Score:3)
Don't be silly (Score:4, Informative)
This is an infrastructure design and monitoring mistake. Can't be traced to just Microsoft, it is a very simple way to avoid responsibilities.
An institution as important as a hospital, must have a partitioned network, with security levels that avoid a mistake in a zone to destroy the work of another one. And the data and related processes must be organized accordingly with their importance and sensitivity.
Also, good and enough contingency plans must exist.
Everything else is to play as children with sand.
Re: (Score:2)
When RC4 is supported? No. Supporting RC4 today is gross negligence, nothing else.
What's His Angle? (Score:2)
What a clown. He can't be that stupid.
The fine senator should be suing Ascension for not solely using Apple products, like he does.
Re: (Score:2)
What a clown. He can't be that stupid.
Yes, yes he can.
Remember that most politicians are usually from legal or business backgrounds and have little to no training or hands on knowledge of IT and related fields. Given Wyden's background as a privacy/data security advocate he is probably better educated on the subject than many of his peers but he still doesn't have hands on experience with Cybersec and IT related fields and is just going by what his staff has briefed him on. Sadly the "experts" on most congresscritter's staffs probably got the
Re: (Score:2)
Given Wyden's background as a privacy/data security advocate he is probably better educated on the subject than many of his peers but he still doesn't have hands on experience with Cybersec and IT related fields and is just going by what his staff has briefed him on.
And yet, every agency in the US Federal government subscribes to every product currently offered by Microsoft.
Microsoft let everyone know about this (Score:2)
https://www.microsoft.com/en-u... [microsoft.com]
Wyden is just another old man who should be shoved out the Capitol exit and into a wood chipper so that younger people whose brains are not yet failing can take on the job of leadership. The spray of his corpse can be used to feed failing grass in DC, shoveled and spread by National Guardsman ashamed of what their government has made them do.
Re: (Score:3)
You don't know much about Wyden, do you?
Re: (Score:2)
I know enough. I'm sick of this gerontocracy.
Re: (Score:2)
You're too old to comment on this.
how easy is it to hack epic mychart? (Score:2)
how easy is it to hack epic mychart?
I knew a programmer once (Score:2)
Whenever his software didn't work right, he would immediately insist, in all seriousness, that it was because of "a Microsoft bug." But upon further investigation, it never actually was.
Microsoft has had, and dealt with, plenty of bugs. But if you're going to blame Microsoft, you'd better be sure of your facts.
I wouldn't be surprised if this company didn't ignore multiple explicit scary popups when they clicked options to enable the insecure protocols. The healthcare industry, which I've worked in for more
Re: (Score:2)
Whenever his software didn't work right, he would immediately insist, in all seriousness, that it was because of "a Microsoft bug." But upon further investigation, it never actually was.
I've heard of people going bonkers and blaming the compiler or even the processor. In my experience when Microsoft is blamed it turns out more often than not to be the case. Of course YMMV. In any event rarely do such externalities matter. Even where a problem is caused by something else your customers still expect you to provide a working product so it is always your fault and your problem no matter what. I recall years ago a hardware vendor borked a few versions of their network drivers. Running our
Re: (Score:2)
What facts are in doubt in this case?
Well, to start with, the claim was that
The hackers employed a technique known as “Kerberoasting,” which exploits an insecure encryption technology from the 1980s known as “RC4” that is still supported by Microsoft software in its default configuration
But Microsoft's own blogs claim that RC4 was disabled in Edge and Internet Explorer in 2016. https://blogs.windows.com/msed... [windows.com]
It was eliminated from Active Directory and Kerberos in 2022. https://www.dell.com/support/k... [dell.com]
That year, it was also removed from the SSL/TLS stack. https://support.microsoft.com/... [microsoft.com]?
So it's not at all clear that the claim is true or has merit.
Re: (Score:2)
The hackers employed a technique known as âoeKerberoasting,â which exploits an insecure encryption technology from the 1980s known as âoeRC4â that is still supported by Microsoft software in its default configuration
But Microsoft's own blogs claim that RC4 was disabled in Edge and Internet Explorer in 2016. https://blogs.windows.com/msed [windows.com]...
It was eliminated from Active Directory and Kerberos in 2022. https://www.dell.com/support/k [dell.com]...
That year, it was also removed from the SSL/TLS stack. https://support.microsoft.com/ [microsoft.com]...?
So it's not at all clear that the claim is true or has merit.
Kerberoasting is independent of RC4. For example hashcat supports brute forcing AES as well. The problem is entropy not algorithm selection.
Re: (Score:2)
According to the article, the attack specifically relied on RC4.
According to Wyden, the attackers then gained access to privileged accounts by exploiting an insecure encryption technology called RC4, which is supported by default on Windows computers.
Re: (Score:2)
According to the article, the attack specifically relied on RC4.
I fail to see the relevance. If not RC4 it would have been AES. Disabling RC4 does NOT solve the problem.
Re: (Score:2)
No, the two are not equivalent in security, not even close.
https://docs.datadoghq.com/sec... [datadoghq.com]
Re: (Score:2)
No, the two are not equivalent in security, not even close.
Your reference is irrelevant, you still don't understand the problem. Hashcat isn't breaking RC4 what it is actually doing is running a dictionary attack. It doesn't matter how shitty RC4 is when the weakest link is entropy not crypto.
See RFC4757 section 2.
"The RC4-HMAC string to key function is defined as follows:
String2Key(password)
K = MD4(UNICODE(password))"
The key to the HMAC or the stream cipher is the goddamn windows password (NTOWF). This means if you take an HMAC or encrypt a known plaintext with
Re: (Score:2)
That 1000x cost in resources isn't as insignificant as you make it out to be. Password cracking is *all* about the cost.
Re: (Score:2)
That 1000x cost in resources isn't as insignificant as you make it out to be. Password cracking is *all* about the cost.
Password cracking is all about results. 1000x is thermal noise in regimes where exponents protect systems. So a password takes hours instead of minutes or days instead of hours and you have to throw more cores at the problem than you would otherwise. At the end of the day outcomes and expenditures do not meaningfully change.
Re: (Score:2)
Your effort estimates are incorrect. To crack an AES 256 password would take many years, not just hours. https://www.progress.com/blogs... [progress.com]. By contrast, RC4 takes minutes to hours to crack.
Malware and scam search results (Score:2)
...are a problem that doesn't get enough attention. Script kiddies (and/or nation state actors) buy ads with popular brand keywords, impersonate the brands, and attack users with fake virus-warning popups (which induce users to install real malware), or pretend to sell products that they're never going to ship, etc, etc.
I wonder if the attack in this case was from an ad, or just from a random organic search result. The malicious ads are extra irritating because it makes the search engine a part of the attac