Ascension Breach Highlights Decade-old Security Flaw, Points to Failures in Defense-in-Depth and Zero Trust
WASHINGTON D.C. – The recent catastrophic network outage at Ascension, one of the largest healthcare providers in the U.S., stemmed from a prosperous Kerberoasting attack – a vulnerability first identified in 2014 – and underscores critical failures in fundamental cybersecurity practices, according to security experts and a letter from Senator Ron Wyden to Microsoft. The breach, which disrupted patient care across multiple states, highlights the enduring risk posed by weak credentials and a lack of robust security architecture.
While details surrounding the attack remain limited due to Ascension’s lack of public comment, security professionals point to a breakdown in established security principles like “security in depth.” This approach,likened to the layered protections on a submarine,aims to contain damage even if one security measure fails. Similarly, the principle of “zero trust” – assuming a network will be breached and building resilience accordingly – appears to have been insufficiently implemented. Zero trust represents a shift from conventional “hard on the outside, soft on the inside” network security, prioritizing containment over perimeter defense.
The impact of the breach was severe; a single compromised computer within the Ascension network was able to trigger a widespread shutdown. This suggests a critical failure to limit lateral movement within the network, a tactic commonly employed by attackers. Security expert HD Moore noted that even without Kerberoasting, “there were dozens of other options for an attacker (standard bloodhound-style lateral movement, digging through logon scripts and network shares, etc.).”
the fact that a decade-old technique like Kerberoasting proved successful against a major healthcare provider is notably concerning. Kerberoasting exploits vulnerabilities in the Windows kerberos authentication protocol to steal password hashes, which can then be cracked to gain access to sensitive systems.
“When I came up with Kerberoasting in 2014, I never thought it would live for more than a year or two,” said security researcher David Medin in a post published September 26, 2025, the same day as Senator Wyden’s letter. “I (erroneously) thought that people would clean up the poor, dated credentials and move to more secure encryption. Here we are 11 years later, and unfortunately it still works more often than it should.”
Both Ascension and Microsoft bear responsibility for the breach.While network architects are ultimately accountable for implementing secure systems, Senator Wyden’s letter argues that microsoft has failed to adequately communicate the risks associated with Kerberoasting and the necessary preventative measures. In 2025, experts agree, an organization of Ascension’s size and sensitivity should not be vulnerable to such an attack.
