Uber has linked its recent cyberattack to an actor (or actors) affiliated with the notorious LAPSUS$ threat group, responsible for breaching the likes of Microsoft, Cisco, Samsung, Nvidia and Okta this year. The announcement came as the ride-hailing giant continues to investigate a network data breach that occurred on Thursday, September 15.Attacker gained elevated permissions to tools including G-Suite and SlackIn a security update published on Monday, September 19, Uber wrote, \u201cAn Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor\u2019s Uber corporate password on the dark web, after the contractor\u2019s personal device had been infected with malware, exposing those credentials. The attacker then repeatedly tried to log in to the contractor\u2019s Uber account.\u201d Each time, the contractor received a two-factor login approval request, which initially blocked access, it added.\u201cEventually, however, the contractor accepted one, and the attacker successfully logged in.\u201d From there, the attacker accessed several other employee accounts, which ultimately gave the attacker elevated permissions to tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel and reconfigured Uber\u2019s OpenDNS to display a graphic image to employees on some internal sites.Uber\u2019s response includes key rotating and re-authenticationOutlining its response, Uber said its security monitoring processes allowed its teams to quickly identify the issue. \u201cOur top priorities were to make sure the attacker no longer had access to our systems, to ensure user data was secure and that Uber services were not affected, and then to investigate the scope and impact of the incident,\u201d it wrote. According to the firm, its actions included:Identify employee accounts that were compromised or potentially compromised, either blocking their access to Uber systems or requiring a password reset.Disable affected or potentially affected internal tools.Rotate keys (effectively resetting access) to internal services.Require employees to re-authenticate and further strengthen multi-factor authentication (MFA) policies.Add more monitoring of the internal environment.Sensitive user data, accounts appear to remain protectedUber assured users that, while the attacker accessed several of its internal systems, its investigations have (so far) not revealed unauthorized access to the production (i.e., public-facing) systems that power its apps, any user accounts, or the databases it uses to store sensitive user information such as credit card numbers, user bank account info, or trip history. \u201cWe also encrypt credit card information and personal health data, offering a further layer of protection,\u201d it stated.Uber also said that it reviewed its codebase and has not found that the attacker made any changes, nor have they accessed any customer or user data stored by is cloud providers. \u201cIt does appear that the attacker downloaded some internal Slack messages, as well as accessed or downloaded information from an internal tool our finance team uses to manage some invoices. We are currently analyzing those downloads,\u201d it wrote. \u201cThe attacker was able to access our dashboard at HackerOne, where security researchers report bugs and vulnerabilities. However, any bug reports the attacker was able to access have been remediated.\u201dUber said it is working alongside several leading digital forensics firms as part of the investigation and is in close coordination with the FBI and US Department of Justice on this matter.