The attackers executed the Soql Quaries to get information related to cases, accounts, users and opportunities and to extract data from them, after which they removed the query jobs. However, the log was not affected, so the organizations can review their logs to determine whether the questions were executed and what the data attackers stole.
Salesloft drift users should do next
GTIG reports and salesloft advisors include indicators of compromising such as user-agent strings for equipment used by the attackers to access IP addresses and data. Mandiant recommends companies to find logs for any activity from the known Tor Exit nodes other than the IP addresses listed in IOCS and open the salesforce support tickets to get a complete list of questions executed by the attackers.
Organizations should discover their own salesforce objects for any stored credentials and should rotate those people, especially Akia (AWS), snowflake, password, secret and words containing words. Wires related to organizational login URL including VPN and SSO pages should also be discovered. Is called an open-source tool Trpholhog Can also be used to find data for hardcode mysteries and credentials.
