The attackers executed SOQL queries to retrieve information associated with Salesforce objects such as Cases, Accounts, Users, and Opportunities and to extract data from them, after which they deleted the query jobs. However, the logs were not impacted so organizations can review their logs to determine what queries were executed and what data attackers stole.
What Salesloft Drift users should do next
The GTIG report and the Salesloft advisories include indicators of compromise such as IP addresses used by the attackers and User-Agent strings for the tools they used to access the data. Mandiant advises companies to also search logs for any activity from known Tor exit nodes in addition to the IP addresses listed in the IOCs and to open a Salesforce support ticket to receive a full list of queries executed by the attackers.
Organizations should search their own Salesforce objects for any stored credentials and should rotate those, especially those containing the terms AKIA (AWS), Snowflake, password, secret and key. Strings related to organizational login URLs, including VPN and SSO pages should also be searched. An open-source tool called TruffleHog can also be used to search data for hardcoded secrets and credentials.
