Attackers exploited SOQL queries to access sensitive Salesforce data, including Cases, Accounts, and Opportunities, but deleted logs post-attack. Fortunately, organizations can still review their logs to identify executed queries and the data compromised.
For Salesloft Drift users, it’s crucial to follow the GTIG report and advisories that provide indicators of compromise, including specific IP addresses and User-Agent strings. Mandiant recommends scanning logs for activities linked to known Tor exit nodes, alongside reported IOCs. Companies should submit a support ticket to Salesforce for a comprehensive list of attacker queries.
Additionally, organizations must search Salesforce objects for stored credentials and rotate those containing key terms like AKIA (AWS), Snowflake, and “password.” It’s also essential to inspect URLs related to organizational logins, including VPN and SSO pages. Consider using TruffleHog, an open-source tool, to detect hardcoded secrets and credentials for enhanced security.
Source link
