Hello folks,
The U.S. House Committee on Homeland Security is calling on Instructure executives to testify about two cyberattacks by the ShinyHunters extortion group that targeted the company’s Canvas platform, allowing threat actors to steal student data and disrupt schools during final exams.
In a letter sent Monday afternoon to Instructure CEO Steve Daly, Homeland Security Committee Chairman Andrew R. Garbarino said the committee is investigating the massive breach at Instructure that impacts millions of students.
What about the breaches that have affected the rest of us, my friend?
“The Committee on Homeland Security (Committee) is investigating the concerning reports related to recent cybersecurity incidents affecting Instructure Holdings, Inc. and the tens of millions of students, educators, and administrators who rely on its Canvas learning management platform,” reads the letter.
This is all well and good, but what about all of the other breaches? We know this department has been involved in other breach investigations, but we don’t hear anything else about them. Is the government going to share what is being learned? As stated above, what about the rest of us?
The fact that Instructure was negligent in their handling of the situation by allowing cross site scripting and modification of pages, they did seem to do everything right as far as I can tell throughout the weekend in notifying us of what was going on.
The article continues:
“Within the span of one week, the cybercriminal group known as ShinyHunters breached Instructure twice.”
That’s a little bit concerning. I would’ve tried to fix it after the first time so they couldn’t. But maybe that is where the neglegance comes in to play.
As first reported by BleepingComputer, Instructure disclosed on May 3 that it had suffered a breach. The company later confirmed it detected the intrusion on April 29 after threat actors compromised its systems and stole data belonging to students and school staff using Canvas.
The company said the exposed information included names, email addresses, student identification numbers, and messages exchanged between students and teachers on the platform. However, the data did not include passwords, financial information, or government identifiers.
That’s nice. Enough information to start the process of social engineering everyone for the rest so you can do more damage.
Constant reporting within what is being read gives the number at 8809, but The Cyberwire in two episodes of their coverage on Monday and Tuesday said 9,000. There’s a difference between 8800 which I’ve written and 9,000. While the number is small, accuracy is more important, even if it isn’t exact. In no way do I mean that it is like 100, but 8800 is smaller than the millions of recordswe’ve seen in breaches, but institutions affected, that’s a high number as it could be many of millions of people. That … we don’t have as a number.
We may further learn that more than the 8809 confirmed entities were affected, which is why I rounded it to 8800 within this coverage.
Here are a couple other paragraphs which may be questioned.
The extortion gang also updated its data leak site today, with a new statement claiming that the data has been destroyed and that schools do not need to indepdently contact them to negotiate.
“We have nothing to add on or comment regarding the recent situation at the LMS company. If you are an impacted institution, we are not seeking your money. Please halt all attempts to reach out to us, the matter has been resolved,” reads the ShinyHunters update.
“The Company and it’s customers will not further be targeted or contacted for payment. The data is nonexistent.”
Non-existant, my eye! Once put out there, its captured for the internet to always see and grab through the screen shots shared.
Here are the two major paragraphs I’m highlighting from the three.
“We have nothing to add on or comment regarding the recent situation at the LMS company. If you are an impacted institution, we are not seeking your money. Please halt all attempts to reach out to us, the matter has been resolved,” reads the ShinyHunters update.
“The Company and it’s customers will not further be targeted or contacted for payment. The data is nonexistent.”
So you’re truly saying that you deleted the data and you will never have anything to do with the company, or any school again? I call bull, because I’ve seen this. And the fact that you practicly get away with every single breach you are involved in, and there are no reprocutions for what you’ve done.
While nobody was hurt, people can search the blog for ransomware. Why? Because ransomware has killed people. Not regularly, but it has. Until these gangs are stopped from going after whatever they want, I’ll never believe a word they say. The data may be gone, but look at the articles. It has screen shots, proving what you, the actor, put on your own web site or what you, the gang, gave the entity to publish at the time.
To read the entire article, please read Bleeping Computer as they now publish: US govt seeks Instructure testimony on massive Canvas cyberattack for our reading pleasure.
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.