We’re learning more and trying to keep up with one of the biggest breaches we think we’ve gotten ahold of.
The article starts:
Education technology giant Instructure has confirmed that a security vulnerability allowed hackers to modify Canvas login portals and leave an extortion message.
BleepingComputer has learned that both the breach and defacements involved multiple cross-site scripting (XSS) vulnerabilities that enabled the attacker to obtain authenticated admin sessions.
The second hack was to draw attention and to pressure Instructure into entering negotiations to pay a ransom following an initial breach disclosed a week before.
Cross Site Scripting flaws (XSS) is becoming a problem once again.
Cross-Site Scripting (XSS) flaws are web security vulnerabilities where attackers inject malicious, client-side scripts (typically JavaScript) into trusted websites. These flaws occur when applications fail to validate or encode user-provided data, causing the browser to execute the script, leading to session theft, malware distribution, or site defacement.
The article continues: On April 29, the company discovered that its network had been breached and “immediately revoked the unauthorized party’s access, started an investigation, and engaged outside forensic experts.”
A few days later, the company confirmed that data was stolen in the cyberattack, and ShinyHunters published Instructure on their data leak site, stating that they stole more than 3.6 terabytes of uncompressed data.
Will we end up finally learning what exactly is going on? The fact we’re continuing to get updates is great, and we’re trying to keep up and I think we might have a line on this. The fact the company is continuing to keep us informed during its investigation is one of their strongest points to date. I m happy, Instructure, that you’re keeping everyone up to date. You are a shining light on the situation, and companies should take note on the fact you’re keeping us informed.
The article continues:
In an attempt to coerce Instructure into paying a ransom, the threat actor hacked Instructure again on May 7 using the same vulnerability used in the initial intrusion.
ShinyHunters injected malicious JavaScript exploiting XSS bugs within user-generated content features, which gave them access to authenticated admin sessions and allowed them to perform privileged actions.
This is where the company fails. It seems to me that if they were fully patched, it would’ve been harder to do this. I’m not saying that it would’ve been impossible, I’m saying it would be harder. Making things harder is much more attractive in this field — we don’t expect perfection.
Continuing:
ShinyHunters used the flaw to add a message to Canvas login portals, warning that the company, as well as schools using its platform, had until May 12 to reach out and negotiate a ransom.
We did see an article from CNN that indicated that students saw ransomware notes instead of their content. But I bet that this was mainly for the administrators of the schools or even the company itself.
While the company is straight forward in telling us what is going on, I believe their lacluster security practices lead to this problem.
The article continues:
While no data was compromised when defacing Canvas login portals, the data that ShinyHunters exfiltrated in the first breach likely includes usernames, email addresses, course names, enrollment information, and messages.
This is contradictory, isn’t it? You write:
While no data was compromised when defacing Canvas login portals, …
then you tell us what may have been taken which says again:
the data that ShinyHunters exfiltrated in the first breach likely includes usernames, email addresses, course names, enrollment information, and messages.
My question is, so … what is it? Has data been taken or not?
With a grain of sault, the final paragraph says:
According to ShinyHunters, the Instructure breach impacts 8,809 educational organizations (schools, universities, colleges, online platforms) and the hackers claim to have stolen 275 million records belonging to students, teachers, and other staff members.
I guess we’ll see what happens, this is getting interesting.
The full article is titled Instructure confirms hackers used Canvas flaw to deface portals so please continue to keep informed of this continuing developing story.
Sincerely,
Jared Rimer
The Jared Rimer Network
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.