Attacker likely bought employee account credentials on the dark web and then escalated privileges to access internal tools. Credit: Weedezign / Getty Images Uber has linked its recent cyberattack to an actor (or actors) affiliated with the notorious LAPSUS$ threat group, responsible for breaching the likes of Microsoft, Cisco, Samsung, Nvidia and Okta this year. The announcement came as the ride-hailing giant continues to investigate a network data breach that occurred on Thursday, September 15.Attacker gained elevated permissions to tools including G-Suite and SlackIn a security update published on Monday, September 19, Uber wrote, “An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials. The attacker then repeatedly tried to log in to the contractor’s Uber account.” Each time, the contractor received a two-factor login approval request, which initially blocked access, it added.“Eventually, however, the contractor accepted one, and the attacker successfully logged in.” From there, the attacker accessed several other employee accounts, which ultimately gave the attacker elevated permissions to tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites.Uber’s response includes key rotating and re-authenticationOutlining its response, Uber said its security monitoring processes allowed its teams to quickly identify the issue. “Our top priorities were to make sure the attacker no longer had access to our systems, to ensure user data was secure and that Uber services were not affected, and then to investigate the scope and impact of the incident,” it wrote. According to the firm, its actions included: Identify employee accounts that were compromised or potentially compromised, either blocking their access to Uber systems or requiring a password reset.Disable affected or potentially affected internal tools.Rotate keys (effectively resetting access) to internal services.Require employees to re-authenticate and further strengthen multi-factor authentication (MFA) policies.Add more monitoring of the internal environment.Sensitive user data, accounts appear to remain protectedUber assured users that, while the attacker accessed several of its internal systems, its investigations have (so far) not revealed unauthorized access to the production (i.e., public-facing) systems that power its apps, any user accounts, or the databases it uses to store sensitive user information such as credit card numbers, user bank account info, or trip history. “We also encrypt credit card information and personal health data, offering a further layer of protection,” it stated.Uber also said that it reviewed its codebase and has not found that the attacker made any changes, nor have they accessed any customer or user data stored by is cloud providers. “It does appear that the attacker downloaded some internal Slack messages, as well as accessed or downloaded information from an internal tool our finance team uses to manage some invoices. We are currently analyzing those downloads,” it wrote. “The attacker was able to access our dashboard at HackerOne, where security researchers report bugs and vulnerabilities. However, any bug reports the attacker was able to access have been remediated.” Uber said it is working alongside several leading digital forensics firms as part of the investigation and is in close coordination with the FBI and US Department of Justice on this matter. Related content brandpost How an integrated platform approach improves OT security By Richard Springer Sep 26, 2023 5 mins Security news Teachers urged to enter schoolgirls into UK’s flagship cybersecurity contest CyberFirst Girls aims to introduce girls to cybersecurity, increase diversity, and address the much-maligned skills shortage in the sector. By Michael Hill Sep 26, 2023 4 mins Back to School Education Industry IT Training news CREST, IASME to deliver UK NCSC’s Cyber Incident Exercising scheme CIE scheme aims to help organisations find quality service providers that can advise and support them in practising cyber incident response plans. By Michael Hill Sep 26, 2023 3 mins IT Governance Frameworks Incident Response Data and Information Security news Baffle releases encryption solution to secure data for generative AI Solution uses the advanced encryption standard algorithm to encrypt sensitive data throughout the generative AI pipeline. By Michael Hill Sep 26, 2023 3 mins Encryption Generative AI Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe