September 2, 2025 Podcast Highlights Cybersecurity Issues

In the September 2, 2025 edition of the Internet Storm Centers Stormcast podcast, Johannes Ullrich, recording from Jacksonville, Florida, addresses several critical cybersecurity topics.

Firstly, Johannes mentions that DD in Belgium has fixed bugs in the PDF parser, a tool that now allows for the extraction of all filtered streams without any issues. DD also explains why it might be preferable to send these extracts to JSON outputs, but the bug fix remains a notable improvement.

Next, Johannes discusses a warning issued by Google's Threat Intelligence Group regarding a potential compromise of OAuth tokens used by Sales Loft Thrift, an AI chatbot that connects to various backends like Salesforce and Google Workspace. A vulnerability in Sales Loft Thrift led to the leakage of these tokens, resulting in targeted attacks on Salesforce and Google Workspace instances. Although Salesforce has disconnected Sales Loft Thrift from its app store, it is possible that these tokens were used to steal data over the past month. Google and Salesforce have notified affected customers, but it is crucial to check logs for indicators of compromise.

Johannes also covers a report from Sophos indicating that malicious actors are exploiting Velociraptor, a popular open-source tool used in digital forensics to access remote systems. Attackers are using this tool legitimately to download specific files without having to perform full disk dumps. This is not the first time security tools have been misused in this way; tools like Vazu, an open-source EDR, and even commercial tools have been exploited similarly. Therefore, it is crucial to secure access to these infrastructures to prevent them from being used against you.

Finally, Johannes talks about an advisory from Susa regarding the Noi vector tool, part of the Docker management tool Rancher. This tool was deployed with a default password, posing a security risk. The updated version now generates a random password, but it is essential to ensure that existing installations are not using the default password, even after an update.

In conclusion, this edition of the podcast highlights the importance of vigilance and securing the tools and infrastructures used in cybersecurity. Bug fixes, compromise warnings, and the exploitation of legitimate tools by malicious actors are all reminders of the need to stay informed and proactive in protecting systems.