The attackers executed SOQL queries to retrieve info related to Salesforce objects resembling Circumstances, Accounts, Customers, and Alternatives and to extract knowledge from them, after which they deleted the question jobs. Nonetheless, the logs weren’t impacted so organizations can evaluate their logs to find out what queries had been executed and what knowledge attackers stole.
What Salesloft Drift customers ought to do subsequent
The GTIG report and the Salesloft advisories embrace indicators of compromise resembling IP addresses utilized by the attackers and Person-Agent strings for the instruments they used to entry the info. Mandiant advises corporations to additionally search logs for any exercise from identified Tor exit nodes along with the IP addresses listed within the IOCs and to open a Salesforce assist ticket to obtain a full record of queries executed by the attackers.
Organizations ought to search their very own Salesforce objects for any saved credentials and may rotate these, particularly these containing the phrases AKIA (AWS), Snowflake, password, secret and key. Strings associated to organizational login URLs, together with VPN and SSO pages must also be searched. An open-source device referred to as TruffleHog can be used to go looking knowledge for hardcoded secrets and techniques and credentials.
