Digital Event Horizon
Microsoft's support of an insecure authentication method in Active Directory has left networks vulnerable to attack, and a recent breach by Ascension highlights the need for stronger security measures. In this article, we'll explore how Kerberoasting attacks can be devastating for organizations with sensitive data and what steps can be taken to prevent them.
Ascension's default Kerberos implementation in Active Directory was found to be insecure and vulnerable to Kerberoasting attacks. A breach occurred in February 2024, putting the medical records of 5.6 million patients at risk due to a weak password and inadequate security measures. Microsoft's continued support for the older Kerberos implementation left networks open to attack despite a previous warning about its vulnerabilities. Kerberoasting attacks can generate billions of password guesses per second, making them devastating for organizations with sensitive data. Solutions include implementing stronger security measures like managed service accounts and blocking the weaker Kerberos implementation in favor of a more secure authentication mechanism.
Microsoft's recent warning about the default fallback made users more susceptible to Kerberoasting, a type of attack that can be devastating for organizations with sensitive data, has shed light on the security failings of health giant Ascension. In October last year, Microsoft warned that the default Kerberos implementation in Active Directory, which uses an insecure cipher and allows attackers to guess passwords quickly, made users more susceptible to Kerberoasting.
Despite this warning, Microsoft continued to support the weaker implementation, leaving networks open to attack. The breach, which occurred in February 2024, was caused by a contractor's laptop being infected with malware after they downloaded a malicious link from Microsoft's Bing search engine. The attackers then pivoted to Ascension's Windows Active Directory, a tool administrators use to create and delete user accounts and manage system privileges.
The breach had severe consequences, causing life-threatening disruptions at 140 hospitals and putting the medical records of 5.6 million patients at risk. The investigation into the breach, led by Senator Ron Wyden, revealed that Ascension's security failings played a significant role in the attack. One of the main contributors to the breach was a weak password, which allowed attackers to crack the password using Kerberoasting attacks.
Kerberoasting is a type of attack that exploits the ability for any valid user account - including a compromised one - to request a service ticket and receive an encrypted service ticket. The attackers then download the ticket and carry out an offline cracking attack, which uses large clusters of GPUs or ASIC chips to generate millions of password guesses per second. Because Windows by default hashed passwords with a single iteration of the fast NTLM function using RC4, these attacks could generate billions of guesses per second.
In this case, the attackers used Kerberoasting to pivot from the contractor's laptop to Ascension's Active Directory, allowing them to gain unauthorized access to sensitive data. The breach was caused by a combination of factors, including the use of weak passwords and inadequate security measures.
Despite the severe consequences of the breach, Microsoft has continued to support the older implementation of Kerberos in Active Directory, citing concerns about breaking older systems that didn't support the newer method. However, this decision has left networks vulnerable to attack, and it is clear that more needs to be done to protect users from these types of attacks.
One potential solution is for organizations to implement stronger security measures, such as managed service accounts, which generate random passwords that are automatically rotated. This can significantly reduce the risk of Kerberoasting attacks. Another solution is for organizations to block the weaker Kerberos implementation and use a more secure authentication mechanism, such as the newer method introduced in 2020.
Ultimately, the Kerberoasting conundrum highlights the need for greater awareness and action on security issues affecting organizations. As the threat landscape continues to evolve, it is essential that we prioritize security measures and take proactive steps to protect ourselves from these types of attacks.
Related Information:
https://www.digitaleventhorizon.com/articles/The-Kerberoasting-Conundrum-How-Ascensions-Security-Failings-Led-to-a-Catastrophic-Ransomware-Breach-deh.shtml
https://arstechnica.com/security/2025/09/how-weak-passwords-and-other-failings-led-to-catastrophic-breach-of-ascension/
https://macmegasite.com/2025/09/18/how-weak-passwords-and-other-failings-led-to-catastrophic-breach-of-ascension/
Published: Thu Sep 18 10:59:56 2025 by llama3.2 3B Q4_K_M
