Risky Bulletin: Microsoft Rolls Out Linkable Token Identifiers to Help IR Teams
Hosted by Claire Aird | Released on July 25, 2025

1. Microsoft Enhances Incident Response with Linkable Identifiers

In the latest cybersecurity advancement, Microsoft has introduced a new feature aimed at bolstering incident response capabilities. Claire Aird highlights that Microsoft’s Entra security update now incorporates Linkable Identifiers, which generate multiple unique IDs embedded within users' access tokens.

"The Linkable Identifiers feature allows security teams to better correlate and track activity from hacked accounts to hijack sessions," Aird explains (00:20).

These identifiers are meticulously logged across various Microsoft services as users engage with them, enabling incident responders to trace user activities more effectively. This development is particularly crucial in mitigating the impact of account compromises and ensuring robust security measures are in place.

2. SharePoint Zero-Day Exploit Targets Major U.S. Agencies

A significant cybersecurity incident has unfolded with over 400 organizations compromised through a recent SharePoint Zero-Day vulnerability. Notable victims include high-profile U.S. government bodies such as the Department of Homeland Security, the National Nuclear Security Administration, and the National Institutes of Health.

"The SharePoint attacks are linked to three Chinese Advanced Persistent Threat (APT) groups and some deployments involve ransomware," Aird reports (00:45).

The assaults began a week prior to the podcast's release and have also affected universities and hospital chains, indicating a broad and severe impact across essential services. The involvement of APT groups underscores the sophisticated nature of these attacks and the persistent threats posed by state-sponsored actors.

3. China Launches National Digital ID System

China has initiated the testing phase of its National Digital ID system, a move designed to allow citizens to verify their identities online without disclosing personal information. The system, which began testing in July, replaces traditional identifiers with random letters and numbers in digital ID cards.

"China is attempting to limit its online data broker ecosystem through this new virtual ID card system," Aird notes (01:15).

Managed by the government, this system is a strategic effort to enhance privacy and reduce the reliance on data brokers, aligning with broader initiatives to control and secure personal data within the country.

4. Shutdown of the U.S. Cyber Sentry Program

In a notable development, the U.S. government has terminated the Cyber Sentry program, which was pivotal in monitoring critical infrastructure networks. Established by CISA and operated by the Lawrence Livermore National Laboratory, the program's discontinuation is part of broader cost-cutting measures.

"The shutdown was revealed during the recent congressional review of Stuxnet, Aird explains (01:40)."

This move has raised concerns about the potential gaps in monitoring and safeguarding critical infrastructure against sophisticated cyber threats.

5. U.S. Government Establishes AI Information Sharing Group

Responding to the escalating integration of AI in various sectors, the Trump administration has advocated for the formation of an AI Information Sharing and Analysis Center (AI ISAC). This initiative is a component of the broader AI Action Plan released by the White House.

"The executive order directs AI companies to secure their data centers and adopt secure-by-design practices," Aird states (02:05).

Additionally, government agencies are mandated to develop strategies for addressing AI vulnerabilities, emphasizing the critical need for robust cybersecurity frameworks in the age of artificial intelligence.

6. New Cybersecurity Standards for New York Water Utilities

The state of New York has enacted stringent cybersecurity standards targeting water and wastewater utilities. Regulated providers are now required to establish comprehensive cybersecurity programs, formulate incident response plans, and conduct annual vulnerability assessments.

"New York has also allocated a $2.5 million grant to assist providers with the associated costs," Aird mentions (02:30).

These measures aim to fortify the cybersecurity posture of essential utilities, safeguarding them against potential cyber threats that could disrupt critical services.

7. Arrests in Relation to XSS Hacking Forum and ATM Heists

Significant law enforcement actions have taken place in Ukraine and Romania:

• Ukraine: The alleged administrator of the XSS Hacking Forum was arrested at the behest of French authorities. Established in 2013, the forum boasted over 50,000 registered users and served as a pivotal Russian-language marketplace for stolen data, hacking tools, and criminal services.

"The XSS forum was a key platform for cybercriminal activities," Aird notes (02:55).

• Romania: Two members of a criminal group responsible for stealing €580,000 from ATMs across Western Europe have been detained. The group employed a transaction reversal technique, manipulating ATM withdrawals to evade detection.

These arrests signify major strides in combating cybercrime networks and disrupting their operations across international borders.

8. Kremlin-Linked Hacktivist Group Resurges with DDoS Attacks

A pro-Kremlin hacktivist faction, known as No Name O5.7, has reemerged shortly after law enforcement successfully seized its servers. The group has launched Distributed Denial-of-Service (DDoS) attacks targeting government sites in Germany and Italy.

"Despite the arrests of two members in France and Spain, many core members remain elusive in Russia," Aird reports (03:20).

The resurgence of No Name O5.7 underscores the resilience of state-linked hacker groups and their continued capacity to disrupt governmental operations through cyber means.

9. Malicious Code Introduced in GitHub Repositories via Toptal

A security breach has been identified in GitHub repositories managed by the freelancing platform Toptal. Malicious code was injected to steal GitHub authentication tokens and perform destructive actions like wiping local drives. The malware exists in both Linux and Windows variants, though its origins—whether through hacking or an insider threat—remain undetermined.

"It's unclear if the attack was the result of hacking or an inside job," Aird explains (03:45).

This incident highlights the vulnerabilities within software development platforms and the critical need for stringent security measures to prevent such compromises.

10. Amazon Q AI Coding Assistant Compromised to Wipe Computers

An alarming security breach affected Amazon's Q AI Coding Assistant, whereby malicious actors modified the assistant to include disk-wiping commands within the generated code. The compromised code was introduced via a GitHub pull request, infiltrating the assistant's Visual Studio (VS) Code extension and remaining active for at least six days before removal.

"The malicious extension appended disk wiping commands to any code generated for users, Aird states (04:10)."

This attack not only disrupted users' systems but also underscores the potential dangers of integrating AI tools without comprehensive security oversight.

11. Leak Zone Hacking Forum Users' IP Addresses Exposed

Ironically, the Leak Zone hacking forum, established in 2020 and primarily used for leaking or trading hacked databases and credentials, fell victim to a data breach. An Elasticsearch database containing users' IP addresses was left unsecured online without password protection.

"The exposure of IP addresses compromises the anonymity of forum users, Aird comments (04:35)."

This breach serves as a cautionary tale about the importance of securing databases, especially those housing sensitive information related to cybersecurity operations.

12. DDoS Attack on Russian Restaurants via ESTT Hosting Provider

A Distributed Denial-of-Service (DDoS) attack targeted the Russian web hosting provider ESTT, inadvertently affecting multiple restaurant chains including McDonald's successor Kus, Itokka Coffee, Coffix, and Sushi Master. Customers were unable to place orders or view menus as the attack persisted for a week.

"The prolonged DDoS attack disrupted the online operations of several major food service providers in Russia," Aird reports (04:55).

This incident highlights the collateral damage that can occur when hosting service providers become targets of cyberattacks, impacting businesses and consumers alike.

13. Clorox Sues Cognizant Over 2023 Ransomware Attack

In a significant legal development, Clorox has filed a lawsuit against IT provider Cognizant following a 2023 ransomware attack. Clorox alleges that Cognizant support agents compromised security by resetting multi-factor authentication (MFA) and providing employee passwords to attackers, facilitating unauthorized access and subsequent ransomware deployment.

"Clorox is seeking $380 million in damages for the ransomware attack and its repercussions," Aird outlines (05:15).

This lawsuit underscores the critical responsibility of IT service providers in safeguarding client security and the severe consequences of negligence or complicity in cybersecurity breaches.

14. Vulnerabilities in Airporter Luggage Check Service Expose Sensitive Travel Details

Airporter, a luggage check partner for several major airlines, faced vulnerabilities that could have exposed the travel details of executives and government officials. The flaws allowed potential attackers to reset user passwords and reroute baggage, posing significant security risks.

"Attacks on Airporter's system could have allowed unauthorized access to sensitive travel itineraries, Aird explains (05:35)."

Airporter addressed the issues promptly after being notified in April, implementing fixes to mitigate the vulnerabilities and protect user data.

15. Postgres Database Exploitation for Crypto Mining

Hackers are exploiting Postgres databases to deploy cryptocurrency miners on both Windows and Linux systems. According to security firm Wiz, attackers are leveraging fake 404 error pages hosted on Google Sites to store and retrieve their malicious payloads. Additionally, the campaign has targeted Tomcat Struts and Confluence servers in recent months, indicating a focused effort to exploit widely used platforms for illicit gains.

"The use of fake 404 pages as a delivery mechanism is a novel tactic in deploying crypto miners, Aird notes (05:55)."

This method highlights the evolving strategies of cybercriminals in leveraging legitimate platforms to facilitate unauthorized cryptocurrency mining operations.

Conclusion

This episode of Risky Bulletin, hosted by Claire Aird, delves into a myriad of cybersecurity developments ranging from Microsoft's new incident response tools to significant breaches and legal actions within the cyber realm. The discussions underscore the dynamic and complex nature of cybersecurity threats and the ongoing efforts by organizations and governments to enhance their defenses and response strategies.

Note: Timestamps in the quotes reference the approximate moments in the podcast where the statements were made.