SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Tuesday, September 2nd, 2025: pdf-parser Patch; Salesloft Compromise; Velociraptor Abuse; NeuVector Default Password
Sep 2, 2025
A new update for pdf-parser fixes critical streaming issues, enhancing security measures. In a troubling development, compromised OAuth tokens from Salesloft Drift have led to significant data breaches. The podcast also reveals how attackers are misusing the Velociraptor tool, typically for incident response, to gain remote access within breached networks. Finally, a default password vulnerability in NeuVector has been patched, emphasizing the need for security in software installations. Stay alert and informed!
AI Snips
Chapters
Transcript
Episode notes
Update Pdf-Parser To Dump Filtered Streams
- Update to the latest pdf-parser.py to fix extraction of all filtered streams.
- Consider outputting sensitive streams to JSON as Didier suggests instead of raw dumps.
OAuth Tokens Were The Attack Vector
- OAuth tokens granted to Salesloft Drift integrations leaked and were abused for data theft from connected services.
- This breach targeted Salesforce and Google Workspace via compromised Drift tokens, not via Salesforce or Google vulnerabilities.
Investigate And Revoke Compromised Tokens
- Check logs and Google Threat Intelligence indicators to determine if your instance was compromised.
- Remove the Salesloft Drift app and rotate any affected OAuth tokens immediately if you had integrations enabled.