What Salesloft Drift users should do next: The GTIG report and the Salesloft advisories include indicators of compromise such as IP addresses used by the attackers and User-Agent strings for the tools they used to access the data. Mandiant advises companies to also search logs for any activity from known Tor exit nodes in addition to the IP addresses listed in the IOCs and to open a Salesforce support ticket to receive a full list of queries executed by the attackers.Organizations should search their own Salesforce objects for any stored credentials and should rotate those, especially those containing the terms AKIA (AWS), Snowflake, password, secret and key. Strings related to organizational login URLs, including VPN and SSO pages should also be searched. An open-source tool called TruffleHog can also be used to search data for hardcoded secrets and credentials.”We regularly see the compromise and abuse of OAuth2 tokens and SaaS-to-SaaS integrations,” Cory Michal, CSO of AppOmni, told CSO. “They’ve long been a known blind spot in most enterprise security programs. What did surprise me was the sheer scale and the methodical discipline the attackers demonstrated. This wasn’t opportunistic, it looked highly coordinated, with a level of planning and execution that suggests a state-sponsored adversary pursuing a broader mission.”BleepingComputer reports that a representative of the extortion group ShinyHunters claimed they are behind the attack. ShinyHunters has been operating for a number of years, being responsible for reported breaches at AT&T, Ticketmaster and other organizations. The group has targeted Snowflake and AWS accounts before, as well as Salesforce accounts recently in a vishing campaign involving fake IT support calls.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4046407/attackers-steal-data-from-salesforce-instances-via-compromised-ai-live-chat-tool.html
