Attacker likely bought employee account credentials on the dark web and then escalated privileges to access internal tools. Credit: Weedezign / Getty Images Uber has linked its recent cyberattack to an actor (or actors) affiliated with the notorious LAPSUS$ threat group, responsible for breaching the likes of Microsoft, Cisco, Samsung, Nvidia and Okta this year. The announcement came as the ride-hailing giant continues to investigate a network data breach that occurred on Thursday, September 15.Attacker gained elevated permissions to tools including G-Suite and SlackIn a security update published on Monday, September 19, Uber wrote, “An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials. The attacker then repeatedly tried to log in to the contractor’s Uber account.” Each time, the contractor received a two-factor login approval request, which initially blocked access, it added.“Eventually, however, the contractor accepted one, and the attacker successfully logged in.” From there, the attacker accessed several other employee accounts, which ultimately gave the attacker elevated permissions to tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites. Uber’s response includes key rotating and re-authenticationOutlining its response, Uber said its security monitoring processes allowed its teams to quickly identify the issue. “Our top priorities were to make sure the attacker no longer had access to our systems, to ensure user data was secure and that Uber services were not affected, and then to investigate the scope and impact of the incident,” it wrote. According to the firm, its actions included: Identify employee accounts that were compromised or potentially compromised, either blocking their access to Uber systems or requiring a password reset.Disable affected or potentially affected internal tools.Rotate keys (effectively resetting access) to internal services.Require employees to re-authenticate and further strengthen multi-factor authentication (MFA) policies.Add more monitoring of the internal environment.Sensitive user data, accounts appear to remain protectedUber assured users that, while the attacker accessed several of its internal systems, its investigations have (so far) not revealed unauthorized access to the production (i.e., public-facing) systems that power its apps, any user accounts, or the databases it uses to store sensitive user information such as credit card numbers, user bank account info, or trip history. “We also encrypt credit card information and personal health data, offering a further layer of protection,” it stated.Uber also said that it reviewed its codebase and has not found that the attacker made any changes, nor have they accessed any customer or user data stored by is cloud providers. “It does appear that the attacker downloaded some internal Slack messages, as well as accessed or downloaded information from an internal tool our finance team uses to manage some invoices. We are currently analyzing those downloads,” it wrote. “The attacker was able to access our dashboard at HackerOne, where security researchers report bugs and vulnerabilities. However, any bug reports the attacker was able to access have been remediated.” Uber said it is working alongside several leading digital forensics firms as part of the investigation and is in close coordination with the FBI and US Department of Justice on this matter. Related content news analysis SEC rule for finance firms boosts disclosure requirements Amendments to Regulation S-P requires broker-dealers, investment companies, registered investment advisers, and transfer agents to disclose incidents to customers. By Evan Schuman May 17, 2024 5 mins Data Breach Financial Services Industry Data Privacy feature DDoS attacks: Definition, examples, and techniques Distributed denial of service (DDoS) attacks have been part of the criminal toolbox for over twenty years, and they’re only growing more prevalent and stronger. By Josh Fruhlinger May 17, 2024 10 mins DDoS Cyberattacks news FCC proposes BGP security measures Protecting the Border Gateway Protocol is as important as protecting the border. By Gyana Swain May 17, 2024 1 min Regulation Network Security news US AI experts targeted in cyberespionage campaign using SugarGh0st RAT Threat actors use phishing techniques to obtain non-public information about generative artificial intelligence. By Lucian Constantin May 16, 2024 4 mins Phishing Data and Information Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe