The Catastrophe That Didn’t Have to Happen: The Ascension Breach
In 2025, the health giant Ascension suffered a devastating breach that could have been prevented with basic security measures. The attack, which exploited a vulnerability in Microsoft’s Active Directory, allowed hackers to pivot from an infected laptop to the company’s network and steal sensitive data. In this article, we will delve into the details of the breach, explore the vulnerabilities that made it possible, and examine the blame game between Ascension and Microsoft.
The Vulnerability: Kerberoasting
Kerberoasting is a type of attack that exploits a weakness in Microsoft’s Active Directory. It allows an attacker to request a service ticket from a compromised account and receive an encrypted service ticket. The attacker can then download the ticket and carry out an offline cracking attack, which uses large clusters of GPUs or ASIC chips to generate billions of password guesses per second.
The Ascension Breach
In February 2025, a contractor’s laptop was infected with malware that allowed hackers to pivot to the Ascension network. The attackers used Kerberoasting to gain access to the network and steal sensitive data, including medical records and personal information of 5.6 million patients. The breach caused significant disruptions throughout the Ascension health network, with hospital employees reporting lapses that threatened patients’ lives.
The Role of Microsoft
Microsoft has been criticized for continuing to support the default fallback to a weaker Kerberos implementation, which makes users more susceptible to Kerberoasting attacks. In 2020, Microsoft finally warned about the risks of Kerberoasting and promised to disable RC4 by default in non-specified future Windows updates. However, it wasn’t until last October that Microsoft announced plans to disable the weaker Kerberos implementation starting in the first quarter of next year.
The Blame Game
Wyden has focused on Microsoft’s decision to continue supporting the default fallback to a weaker implementation and delay formal warnings about the risks of Kerberoasting. However, many experts agree that Ascension also shares blame for the breach. The company could have taken measures to prevent the attack, such as implementing security in depth, zero trust, or managed service accounts.
Conclusion
The Ascension breach was a catastrophic failure that highlights the importance of basic security measures. While Microsoft deserves some blame for its handling of Kerberoasting vulnerabilities, Ascension’s lack of preparedness and failure to implement standard defensive measures are also clear. As HD Moore observed, "Just because a target shuts down one viable attack path is no guarantee that others remain." In 2025, there’s no excuse for an organization as big and sensitive as Ascension suffering a Kerberoasting attack.
Recommendations
To prevent similar breaches in the future, organizations should:
- Implement security in depth and zero trust principles
- Use managed service accounts to manage passwords
- Block the weaker Kerberos implementation
- Monitor network activity for signs of compromise
By taking these measures, organizations can reduce their risk of suffering a catastrophic breach like Ascension’s.
Timeline
- 2014: Tim Medin presents an attack he had dubbed Kerberoasting at the DerbyCon Security Conference.
- 2008: Microsoft introduces a newer, more secure authentication method for Active Directory.
- 2020: Microsoft warns about the risks of Kerberoasting and promises to disable RC4 by default in non-specified future Windows updates.
- Last October: Microsoft announces plans to disable the weaker Kerberos implementation starting in the first quarter of next year.
- February 2025: A contractor’s laptop is infected with malware that allows hackers to pivot to the Ascension network.
- May 2025: Ascension detects the breach.
Glossary
- Kerberoasting: a type of attack that exploits a weakness in Microsoft’s Active Directory, allowing an attacker to request a service ticket from a compromised account and receive an encrypted service ticket.
- Managed Service Account: a Microsoft service for managing passwords, which generates randomly and automatically rotated passwords.
- Security in depth: a principle that emphasizes the use of multiple layers of security measures to protect against attacks.
- Zero trust: a holistic approach to minimizing damage even when hack attempts do succeed, assuming the network will be breached and building resiliency to withstand or contain the compromise.