
























Follow ZDNET: Add us as a preferred source on Google.
Canvas is at the center of an ongoing cyberattack and data extortion attempt by a well-known cybercriminal group that claims to have stolen student records. If you are a Canvas user, you can take defensive measures now.
Also: No one pays ransomware demands anymore - so attackers have a new goal
Canvas is a Learning Management System (LMS) from Instructure, a Salt Lake City-based educational technology company founded in 2008.
Designed for remote learning, Canvas has been adopted by thousands of schools for course creation and management, grading, feedback, and coursework submission. Instructure says the LMS now supports tens of millions of users -- students and parents -- and has recorded 27 million mobile app downloads. Canvas is available in over 100 countries.
While Canvas boasts a 100% uptime notice on its website, Instructure CISO Steve Proud said last week that the LMS had "recently experienced a cybersecurity incident perpetrated by a criminal threat actor."
The company began investigating. On May 6, Proud said the company believed the incident had been "contained," but some data may have been exposed -- and it didn't take long for students to begin reporting login issues.
Also: The shadowy SIM farms behind those incessant scam texts - and how to stay safe
On Thursday, May 7, Canvas login interfaces were defaced, with ransom notes reportedly posted by the ShinyHunters group as it moved from data theft to public extortion. Students who tried to log in were unable to access their course materials, likely a deliberate attempt by the cyberattackers to put pressure on Instructure to pay up, with finals just around the corner.
In response, Canvas displayed a maintenance mode page, an action that had drawn criticism.
The hackers' ransom note, which has since circulated online, demands that Instructure contact the group by May 12.
"ShinyHunters has breached Instructure (again)," the note reads. "Instead of contacting us to resolve it, they ignored us and did some 'security patches.'"
While access has reportedly been restored for most users, with the deadline approaching, this may not be the end of the story.
ShinyHunters is a collective of cybercriminals that extorts companies for payment. Since making headlines in 2020 with a swathe of company breaches, ShinyHunter's modus operandi is to quietly infiltrate a target business, steal information, and then publicly pressure the victim into paying a "settlement."
Also: The best free VPNs: Expert tested and reviewed
Often associated with large-scale breaches, ShinyHunters, like many other cybercriminal groups, operates a "leak site." Leak sites are public-facing websites that list alleged victims and the items stolen, and often include a demand for payment.
If a victim fails to comply, the information stolen from them may be published. Having the victim's name removed from the leak site may also be part of negotiations.
ShinyHunters has threatened to leak data on approximately 275 million students from 8,800 academic institutions if its demands are not met.
Also: I'm a tech professional, and an AI job scam almost fooled me - here's how I caught on
According to Instructure, exposed data may include:
"At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved," Instructure said. "If that changes, we will notify any impacted institutions."
It is not known whether Instructure has communicated with ShinyHunters. Instructure said it is currently "not seeing any ongoing unauthorized activity."
Also: This critical Linux vulnerability is putting millions of systems at risk - how to protect yours
The company has revoked privileged credentials and access tokens associated with affected systems, deployed security patches -- although no associated vulnerability disclosures have been made yet -- and rotated security keys. Instructure said it has also ramped up monitoring across its platforms.
"As a precaution, we recommend customers follow security best practices, including enforcing MFA on privileged accounts, reviewing admin access, and rotating API tokens or keys where applicable," the company added.
Also: These 5 critical Windows Defender settings are off by default - turn them on ASAP
We reached out Instructure for comment and a spokesperson shared this statement:
Yesterday, Instructure discovered the unauthorized actor involved in our ongoing security incident made changes to the pages that appeared when some students and teachers were logged in. Out of an abundance of caution, we immediately took Canvas offline to contain access and further investigate. We have confirmed that the unauthorized actor exploited an issue related to our Free-For-Teacher accounts. As a result, we have made the difficult decision to temporarily shut down our Free-For-Teacher accounts. This gives us the confidence to restore access to Canvas, which is now fully back online and available for use. We regret the inconvenience and concern this may have caused
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。