How weak passwords and other failings led to catastrophic breach of Ascension

THE BREACH THAT DIDN’T HAVE TO HAPPEN

A deep-dive into Active Directory and how “Kerberoasting” breaks it wide open.

Aurich Lawson | Getty Images

Last week, a prominent US senator called on the Federal Trade Commission to investigate Microsoft for cybersecurity negligence over the role it played last year in health giant Ascension’s ransomware breach, which caused life-threatening disruptions at 140 hospitals and put the medical records of 5.6 million patients into the hands of the attackers. Lost in the focus on Microsoft was something as, or more, urgent: never-before-revealed details that now invite scrutiny of Ascension’s own security failings.

In a letter sent last week to FTC Chairman Andrew Ferguson, Sen. Ron Wyden (D-Ore.) said an investigation by his office determined that the hack began in February 2024 with the infection of a contractor’s laptop after they downloaded malware from a link returned by Microsoft’s Bing search engine. The attackers then pivoted from the contractor device to Ascension’s most valuable network asset: the Windows Active Directory, a tool administrators use to create and delete user accounts and manage system privileges to them. Obtaining control of the Active Directory is tantamount to obtaining a master key that will open any door in a restricted building.

How weak passwords and other failings led to catastrophic breach of Ascension

Related reading

Finance company stored their DB credentials in spreadsheet

The network password was a key plot point in one of the most famous movies of…

Senator blasts Microsoft for making default Windows vulnerable to…

To gain root access at this company, all an intruder had to do was ask nicely

UK business breach rate stuck at 43%... blame the phishing

Microsoft patch fell short. New Windows flaw exploited