Wyden said his office’s investigation into the Ascension breach found that the ransomware attackers’ initial entry into the health giant’s network was the infection of a contractor’s laptop after using Microsoft Edge to search Microsoft’s Bing site. The attackers were then able to expand their hold by attacking Ascension’s Active Directory and abusing its privileged access to push malware to thousands of other machines inside the network. The means for doing so, Wyden said: Kerberoasting.
“Microsoft has become like an arsonist”
“Microsoft’s continued support for the ancient, insecure RC4 encryption technology needlessly exposes its customers to ransomware and other cyber threats by enabling hackers that have gained access to any computer on a corporate network to crack the passwords of privileged accounts used by administrators,” Wyden wrote. “According to Microsoft, this threat can be mitigated by setting long passwords that are at least 14 characters long, but Microsoft’s software does not require such a password length for privileged accounts.”
Additionally, Green noted, the continuing speed of GPUs means that even when passwords appear to be strong, they can still fall to offline cracking attacks. That’s because the security cryptographic hashes created by default RC4/Kerberos use no cryptographic salt and a single iteration of the MD4 algorithm. The combination means an offline cracking attack can make billions of guesses per second, a thousandfold advantage over the same password hashed by non-Kerberos authentication methods.
Referring to the Active Directory default, Green wrote:
It’s actually a terrible design that should have been done away with decades ago. We should not build systems where any random attacker who compromises a single employee laptop can ask for a message encrypted under a critical password! This basically invites offline cracking attacks, which do not need even to be executed on the compromised laptop—they can be exported out of the network to another location and performed using GPUs and other hardware.
More than 11 months after announcing its plans to deprecate RC4/Kerberos, the company has provided no timeline for doing so. What’s more, Wyden said, the announcement was made in a “highly technical blog post on an obscure area of the company’s website on a Friday afternoon.” Wyden also criticized Microsoft for declining to “explicitly warn its customers that they are vulnerable to the Kerberoasting hacking technique unless they change the default settings chosen by Microsoft.”