Risky Bulletin: Microsoft rolls out linkable token identifiers to help IR teams - Risky Bulletin

Summary7 min read

Risky Bulletin: Microsoft Rolls Out Linkable Token Identifiers to Help IR Teams
Hosted by Claire Aird | Released on July 25, 2025

1. Microsoft Enhances Incident Response with Linkable Identifiers

In the latest cybersecurity advancement, Microsoft has introduced a new feature aimed at bolstering incident response capabilities. Claire Aird highlights that Microsoft’s Entra security update now incorporates Linkable Identifiers, which generate multiple unique IDs embedded within users' access tokens.

"The Linkable Identifiers feature allows security teams to better correlate and track activity from hacked accounts to hijack sessions," Aird explains (00:20).

These identifiers are meticulously logged across various Microsoft services as users engage with them, enabling incident responders to trace user activities more effectively. This development is particularly crucial in mitigating the impact of account compromises and ensuring robust security measures are in place.

2. SharePoint Zero-Day Exploit Targets Major U.S. Agencies

A significant cybersecurity incident has unfolded with over 400 organizations compromised through a recent SharePoint Zero-Day vulnerability. Notable victims include high-profile U.S. government bodies such as the Department of Homeland Security, the National Nuclear Security Administration, and the National Institutes of Health.

"The SharePoint attacks are linked to three Chinese Advanced Persistent Threat (APT) groups and some deployments involve ransomware," Aird reports (00:45).

The assaults began a week prior to the podcast's release and have also affected universities and hospital chains, indicating a broad and severe impact across essential services. The involvement of APT groups underscores the sophisticated nature of these attacks and the persistent threats posed by state-sponsored actors.

3. China Launches National Digital ID System

China has initiated the testing phase of its National Digital ID system, a move designed to allow citizens to verify their identities online without disclosing personal information. The system, which began testing in July, replaces traditional identifiers with random letters and numbers in digital ID cards.

"China is attempting to limit its online data broker ecosystem through this new virtual ID card system," Aird notes (01:15).

Managed by the government, this system is a strategic effort to enhance privacy and reduce the reliance on data brokers, aligning with broader initiatives to control and secure personal data within the country.

4. Shutdown of the U.S. Cyber Sentry Program

In a notable development, the U.S. government has terminated the Cyber Sentry program, which was pivotal in monitoring critical infrastructure networks. Established by CISA and operated by the Lawrence Livermore National Laboratory, the program's discontinuation is part of broader cost-cutting measures.

"The shutdown was revealed during the recent congressional review of Stuxnet, Aird explains (01:40)."

This move has raised concerns about the potential gaps in monitoring and safeguarding critical infrastructure against sophisticated cyber threats.

5. U.S. Government Establishes AI Information Sharing Group

Responding to the escalating integration of AI in various sectors, the Trump administration has advocated for the formation of an AI Information Sharing and Analysis Center (AI ISAC). This initiative is a component of the broader AI Action Plan released by the White House.

"The executive order directs AI companies to secure their data centers and adopt secure-by-design practices," Aird states (02:05).

Additionally, government agencies are mandated to develop strategies for addressing AI vulnerabilities, emphasizing the critical need for robust cybersecurity frameworks in the age of artificial intelligence.

6. New Cybersecurity Standards for New York Water Utilities

The state of New York has enacted stringent cybersecurity standards targeting water and wastewater utilities. Regulated providers are now required to establish comprehensive cybersecurity programs, formulate incident response plans, and conduct annual vulnerability assessments.

"New York has also allocated a $2.5 million grant to assist providers with the associated costs," Aird mentions (02:30).

These measures aim to fortify the cybersecurity posture of essential utilities, safeguarding them against potential cyber threats that could disrupt critical services.

7. Arrests in Relation to XSS Hacking Forum and ATM Heists

Significant law enforcement actions have taken place in Ukraine and Romania:

Ukraine: The alleged administrator of the XSS Hacking Forum was arrested at the behest of French authorities. Established in 2013, the forum boasted over 50,000 registered users and served as a pivotal Russian-language marketplace for stolen data, hacking tools, and criminal services.

"The XSS forum was a key platform for cybercriminal activities," Aird notes (02:55).

Romania: Two members of a criminal group responsible for stealing €580,000 from ATMs across Western Europe have been detained. The group employed a transaction reversal technique, manipulating ATM withdrawals to evade detection.

These arrests signify major strides in combating cybercrime networks and disrupting their operations across international borders.

8. Kremlin-Linked Hacktivist Group Resurges with DDoS Attacks

A pro-Kremlin hacktivist faction, known as No Name O5.7, has reemerged shortly after law enforcement successfully seized its servers. The group has launched Distributed Denial-of-Service (DDoS) attacks targeting government sites in Germany and Italy.

"Despite the arrests of two members in France and Spain, many core members remain elusive in Russia," Aird reports (03:20).

The resurgence of No Name O5.7 underscores the resilience of state-linked hacker groups and their continued capacity to disrupt governmental operations through cyber means.

9. Malicious Code Introduced in GitHub Repositories via Toptal

A security breach has been identified in GitHub repositories managed by the freelancing platform Toptal. Malicious code was injected to steal GitHub authentication tokens and perform destructive actions like wiping local drives. The malware exists in both Linux and Windows variants, though its origins—whether through hacking or an insider threat—remain undetermined.

"It's unclear if the attack was the result of hacking or an inside job," Aird explains (03:45).

This incident highlights the vulnerabilities within software development platforms and the critical need for stringent security measures to prevent such compromises.

10. Amazon Q AI Coding Assistant Compromised to Wipe Computers

An alarming security breach affected Amazon's Q AI Coding Assistant, whereby malicious actors modified the assistant to include disk-wiping commands within the generated code. The compromised code was introduced via a GitHub pull request, infiltrating the assistant's Visual Studio (VS) Code extension and remaining active for at least six days before removal.

"The malicious extension appended disk wiping commands to any code generated for users, Aird states (04:10)."

This attack not only disrupted users' systems but also underscores the potential dangers of integrating AI tools without comprehensive security oversight.

11. Leak Zone Hacking Forum Users' IP Addresses Exposed

Ironically, the Leak Zone hacking forum, established in 2020 and primarily used for leaking or trading hacked databases and credentials, fell victim to a data breach. An Elasticsearch database containing users' IP addresses was left unsecured online without password protection.

"The exposure of IP addresses compromises the anonymity of forum users, Aird comments (04:35)."

This breach serves as a cautionary tale about the importance of securing databases, especially those housing sensitive information related to cybersecurity operations.

12. DDoS Attack on Russian Restaurants via ESTT Hosting Provider

A Distributed Denial-of-Service (DDoS) attack targeted the Russian web hosting provider ESTT, inadvertently affecting multiple restaurant chains including McDonald's successor Kus, Itokka Coffee, Coffix, and Sushi Master. Customers were unable to place orders or view menus as the attack persisted for a week.

"The prolonged DDoS attack disrupted the online operations of several major food service providers in Russia," Aird reports (04:55).

This incident highlights the collateral damage that can occur when hosting service providers become targets of cyberattacks, impacting businesses and consumers alike.

13. Clorox Sues Cognizant Over 2023 Ransomware Attack

In a significant legal development, Clorox has filed a lawsuit against IT provider Cognizant following a 2023 ransomware attack. Clorox alleges that Cognizant support agents compromised security by resetting multi-factor authentication (MFA) and providing employee passwords to attackers, facilitating unauthorized access and subsequent ransomware deployment.

"Clorox is seeking $380 million in damages for the ransomware attack and its repercussions," Aird outlines (05:15).

This lawsuit underscores the critical responsibility of IT service providers in safeguarding client security and the severe consequences of negligence or complicity in cybersecurity breaches.

14. Vulnerabilities in Airporter Luggage Check Service Expose Sensitive Travel Details

Airporter, a luggage check partner for several major airlines, faced vulnerabilities that could have exposed the travel details of executives and government officials. The flaws allowed potential attackers to reset user passwords and reroute baggage, posing significant security risks.

"Attacks on Airporter's system could have allowed unauthorized access to sensitive travel itineraries, Aird explains (05:35)."

Airporter addressed the issues promptly after being notified in April, implementing fixes to mitigate the vulnerabilities and protect user data.

15. Postgres Database Exploitation for Crypto Mining

Hackers are exploiting Postgres databases to deploy cryptocurrency miners on both Windows and Linux systems. According to security firm Wiz, attackers are leveraging fake 404 error pages hosted on Google Sites to store and retrieve their malicious payloads. Additionally, the campaign has targeted Tomcat Struts and Confluence servers in recent months, indicating a focused effort to exploit widely used platforms for illicit gains.

"The use of fake 404 pages as a delivery mechanism is a novel tactic in deploying crypto miners, Aird notes (05:55)."

This method highlights the evolving strategies of cybercriminals in leveraging legitimate platforms to facilitate unauthorized cryptocurrency mining operations.

Conclusion

This episode of Risky Bulletin, hosted by Claire Aird, delves into a myriad of cybersecurity developments ranging from Microsoft's new incident response tools to significant breaches and legal actions within the cyber realm. The discussions underscore the dynamic and complex nature of cybersecurity threats and the ongoing efforts by organizations and governments to enhance their defenses and response strategies.

Note: Timestamps in the quotes reference the approximate moments in the podcast where the statements were made.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
Microsoft rolls out better logging for incident responders the SharePoint hacking spree hits major US agencies, Ukraine arrests the admin of a well known hacking forum and China launches a national digital ID system. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 25th of July and this podcast episode is brought to you by Thinkst, the makers of the much loved Thin Microsoft has released an entra security feature to help incident responders trace user activities. The Linkable Identifiers feature generates multiple unique IDs that are embedded inside users access tokens. The identifiers are logged across other Microsoft services as users interact with them. They allow security teams to better correlate and track activity from hacked accounts to hijack sessions. In other News, more than 400 organisations have been hacked with the recent SharePoint Zero Day. Government victims include America's Department of Homeland Security, the National Nuclear Security Administration and the National Institutes of Health. Universities and hospital chains have also been affected. The attacks began a week ago and have been linked to three Chinese APT groups. Some of the attacks are also deploying ransomware. China is allowing citizens to prove their identities online without sharing personal information. The new virtual ID card system launched for testing in July. The system is managed by the government and produces digital ID cards with random letters and numbers in place of names and other identifiers. The new system is part of China's attempt at limiting its online data broker ecosystem. A U.S. government's cybersecurity program that monitored critical infrastructure networks has shut down the the Cyber Sentry program was established by CISA and run by the Lawrence Livermore National Laboratory. The DHS allowed the services contract to expire as part of broader cost cutting measures. The program's shutdown came to light during the recent congressional review of stuxnet. The Trump administration has called for the creation of an AI information sharing group. The new AI ISAC is one of several cyber related aspects of the AI Action Plan released by the White House this week. The executive order also directs AI companies to secure their data centres and adopt secure by design practices. Government agencies will also have to create plans for dealing with AI vulnerabilities. New cybersecurity standards for water and wastewater utilities have been passed in the state of New York. Regulated providers will have to establish cybersecurity programs, create incident response plans and run annual vulnerability assessments. The state also announced a $2.5 million grant to help providers with the costs. The alleged administrator of the XSS Hacking Forum has been arrested in Ukraine. The suspect was detained on Tuesday at the request of French authorities. The XSS forum launched in 2013 and had more than 50,000 registered users. The forum was a key Russian language marketplace for stolen data, hacking tools and criminal services. Romanian authorities have detained two members of a criminal group that stole from ATMs. The group allegedly used a transaction reversal technique to steal €580,000 from ATMs across Western Europe. The attackers initiated legitimate withdrawals while ATMs were preparing to dispense. They grabbed the cash and simultaneously removed their cards. This caused the ATMs to abort the transactions without logging that money had been dispensed. The gang was also involved in counterfeiting UK public transport cars. A pro Kremlin hacktivist group has returned with new attacks less than a week after law enforcement seized its servers. The no Name O5.7 group has launched DDoS attacks against German and Italian government sites this week. Two group members were arrested in France and Spain earlier this month, but many of its core members are still at large in Russia. Malicious code has been added to 10 GitHub repositories run by freelancing platform Toptal the. The malicious code steals GitHub authentication tokens and wipes local drives. The code has both Linux and Windows variants. It's unclear if the attack was the result of hacking or an inside job. A hacker has modified the Amazon Q AI coding assistant to wipe users computers. The attacker submitted the malicious code via a GitHub pull request. It was then included in the assistant's VS code extension. The modified extension appended disk wiping commands to any code generated for users. It was live for at least six days. Days before it was removed, a hacking forum ironically named the Leak Zone has leaked the IP addresses of its users. The users IPs were exposed in an Elasticsearch database, left online without a password. The forum was established in 2020 and is primarily used to leak or trade hacked databases and credentials. A DDoS attack on Russian web hosting provider ESTT has indirectly taken out multiple restaurants in the country. Websites and apps for McDonald's successor Kus, Itokka coffee chain Coffix and Sushi Master were impacted. Customers have been unable to place orders or view menus. The attack has been underway for a week. Bleach company Clorox is suing IT provider Cognizant over a 2023 ransomware attack. Clorox has said Cognizant support agents reset MFA and handed employee passwords to attackers. The hackers then access Clorox systems and deployed ransomware. The company is seeking $380 million in damages. Vulnerabilities in a luggage check service could have exposed travel details of executive and government officials. Airporter is a bag check partner for several major airlines. It collects checks in and delivers luggage for premium customers. The vulnerabilities could have allowed attackers to reset any user's password and then reroute their baggage. Airporter was notified in April and fixed the bugs shortly after. And finally, hackers are exploiting postgres databases to deploy crypto miners on Windows and Linux. According to Wiz, the attackers are storing and retrieving their payloads from fake 404 error pages hosted on Google sites. The campaign has also targeted Tomcat Struts and Confluence servers in recent months. And that is all for this podcast edition. Today's show was brought to you by our sponsor, thinxt, the makers of the much loved thingst Canary. Find them at Canary Tools, thanks to your company.