Kerberos isn’t the only thing getting roasted
Wyden says default use of RC4 cipher led to last year’s breach of health giant Ascension.
The Microsoft logo. Credit: Getty Images
A prominent US senator has called on the Federal Trade Commission to investigate Microsoft for “gross cybersecurity negligence,” citing the company’s continued use of an obsolete and vulnerable form of encryption that Windows supports by default.
In a letter to FTC Chairman Andrew Ferguson, Sen. Ron Wyden (D–Ore.) said an investigation his office conducted into the 2024 ransomware breach of the health care giant Ascension found that the default support of the RC4 encryption cipher was a direct cause. The breach led to the theft of medical records of 5.6 million patients.
It’s the second time in as many years that Wyden has used the word “negligence” to describe Microsoft’s security practices.
“Dangerous software engineering decisions”
“Because of dangerous software engineering decisions by Microsoft, which the company has largely hidden from its corporate and government customers, a single individual at a hospital or other organization clicking on the wrong link can quickly result in an organization-wide ransomware infection,” Wyden wrote in the letter, which was sent Wednesday. “Microsoft has utterly failed to stop or even slow down the scourge of ransomware enabled by its dangerous software.”
RC4 is short for Rivest Cipher 4, a nod to mathematician and cryptographer Ron Rivest of RSA Security, who developed the stream cipher in 1987. It was a trade-secret-protected proprietary cipher until 1994, when an anonymous party posted a technical description of it to the Cypherpunks mail list. Within days, the algorithm was broken, meaning its security could be compromised using cryptographic attacks. Despite the known susceptibility to such attacks, RC4 remained in wide use in encryption protocols, including SSL and its successor TLS, until about a decade ago.
Microsoft, however, continues by default to support RC4 as a means for securing Active Directory, a Windows component that administrators use to configure and provision user accounts inside large organizations. Windows clients will by default authenticate using the much more secure AES encryption standard and servers will respond using the same. But by default, Windows servers will respond to RC4-based authentication requests and return an RC4-based response.
This design presents a major opportunity for hackers who manage to compromise a single device inside an otherwise well-fortified network. By making the device send an RC4-based authentication request, the hackers can receive a response and then crack the weak cryptographic hash that secures its underlying password.
In a blog post published Wednesday, cryptography expert Matt Green of Johns Hopkins University said continued support of Kerberos and RC4—combined with a common misconfiguration that gives non-admin users access to privileged Active Directory functions—opens the networks to “kerberoasting,” a form of attack that uses offline password-cracking attacks against Kerberos-protected accounts that haven’t been configured to use stronger forms of encryption. Kerberoasting has been a known attack technique since 2014.
As Microsoft itself noted last year, even when Active Directory accounts use strong passwords that would normally be infeasible to crack, choosing RC4 as the underlying cipher makes them “more susceptible to the cyberattack because [the cipher] uses no salt or iterated hash when converting a password to an encryption key, allowing the cyberthreat actor to guess more passwords quickly.” Microsoft went on to say that it would disable RC4 “by default” in non-specified future Windows updates.
Wyden said his office’s investigation into the Ascension breach found that the ransomware attackers’ initial entry into the health giant’s network was the infection of a contractor’s laptop after using Microsoft Edge to search Microsoft’s Bing site. The attackers were then able to expand their hold by attacking Ascension’s Active Directory and abusing its privileged access to push malware to thousands of other machines inside the network. The means for doing so, Wyden said: Kerberoasting.
“Microsoft has become like an arsonist”
“Microsoft’s continued support for the ancient, insecure RC4 encryption technology needlessly exposes its customers to ransomware and other cyber threats by enabling hackers that have gained access to any computer on a corporate network to crack the passwords of privileged accounts used by administrators,” Wyden wrote. “According to Microsoft, this threat can be mitigated by setting long passwords that are at least 14 characters long, but Microsoft’s software does not require such a password length for privileged accounts.”
Additionally, Green noted, the continuing speed of GPUs means that even when passwords appear to be strong, they can still fall to offline cracking attacks. That’s because the security cryptographic hashes created by default RC4/Kerberos use no cryptographic salt and a single iteration of the MD4 algorithm. The combination means an offline cracking attack can make billions of guesses per second, a thousandfold advantage over the same password hashed by non-Kerberos authentication methods.
Referring to the Active Directory default, Green wrote:
It’s actually a terrible design that should have been done away with decades ago. We should not build systems where any random attacker who compromises a single employee laptop can ask for a message encrypted under a critical password! This basically invites offline cracking attacks, which do not need even to be executed on the compromised laptop—they can be exported out of the network to another location and performed using GPUs and other hardware.
More than 11 months after announcing its plans to deprecate RC4/Kerberos, the company has provided no timeline for doing so. What’s more, Wyden said, the announcement was made in a “highly technical blog post on an obscure area of the company’s website on a Friday afternoon.” Wyden also criticized Microsoft for declining to “explicitly warn its customers that they are vulnerable to the Kerberoasting hacking technique unless they change the default settings chosen by Microsoft.”
Wyden went on to criticize Microsoft for building a “multibillion-dollar secondary business selling cybersecurity add-on services to those organizations that can afford it. At this point, Microsoft has become like an arsonist selling firefighting services to their victims.”
In an emailed statement, Microsoft said it has already deprecated the use of DES, another encryption scheme with known vulnerabilities. Microsoft wrote:
RC4 is an old standard, and we discourage its use both in how we engineer our software and in our documentation to customers – which is why it makes up less than .1% of our traffic. However, disabling its use completely would break many customer systems. For this reason, we’re on a path to gradually reduce the extent to which customers can use it, while providing strong warnings against it and advice for using it in the safest ways possible. We have it on our roadmap to ultimately disable its use. We’ve engaged with The Senator’s office on this issue and will continue to listen and answer questions from them or others in government.
In Q1 of 2026 any new installations of Active Directory Domains using Windows Server 2025 will have RC4 disabled by default, meaning any new domain will inherently be protected against attacks relying on RC4 weaknesses. We plan to include additional mitigations for existing in-market deployments with considerations for compatibility and continuity of critical customer services.
Post updated in the sixth and seventh paragraphs to better explain role of RC4 in Active Directory authentication.
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
