Canvas Data Leak Extortion: A Growing Concern
Pressure is mounting on Instructure, the company behind Canvas, as cybercriminals threaten to leak a trove of sensitive data they claim was stolen during a prolonged cyberattack on the widely used education tech platform. The threat group, ShinyHunters, has set a deadline of May 12 for the company to respond to their ransom demands.
The attack, which was first detected on April 29, has exposed usernames, email addresses, course names, enrollment information, and messages. However, Instructure CEO Steve Daly has insisted that course content, submissions, and credentials were not compromised.
Impact on the Education Sector
The temporary but widespread disruption caused by the attack has spurred broad concern across the education sector. The House Homeland Security Committee has published a letter to Daly seeking a briefing on the incident, citing concerns about the company's incident response capabilities and its obligations to the institutions and individuals whose data it holds.
Researchers at Halcyon have tracked more than 250 ransomware attacks on education institutions globally last year, highlighting the education sector as a recurring and consistent target for cybercriminals. The attack on Canvas stands apart from most of these attacks due to its widespread use and downstream impact.
ShinyHunters' Tactics
ShinyHunters, a decentralized crew of prolific cybercriminals, has a known pattern of removing victim entries once communications and negotiations have started. However, cybersecurity professionals focused on ransomware and data theft extortion consistently encourage victims not to pay ransoms, citing the risk of false statements and further extortion.
Allison Nixon, chief research officer at Unit 221B, has warned that the threat group claiming responsibility for the attack should not be trusted. "They are claiming they will delete the data after they are paid, and if they are not paid that they will leak the data," she said. "This is in line with the past data extortion scams run by the same and related Com actors, who have made false statements to victims and to the public in the past."
Instructure's Response
Instructure has taken Canvas offline, disrupting schoolwork and access to critical systems nationwide. The company has also revoked privileged credentials and access tokens for affected systems, rotated internal keys, restricted token creation pathways, and deployed additional security controls and monitoring.
Daly has apologized for the company's inconsistent communication and deficient public response to the cyberattack. "Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn’t get answered. You deserved more consistent communication from us, and we didn’t deliver it. I’m sorry for that," he said.
The company has pledged to improve communications and provide a summary of a forensics report soon. "Rebuilding trust takes time," Daly added. "We’re going to earn it back through consistent action and honest communication."
Conclusion
The attack on Canvas highlights the importance of robust cybersecurity measures and incident response capabilities. As the education sector continues to be a target for cybercriminals, it is essential for companies like Instructure to prioritize the security and privacy of their users' data.
- Instructure detected unauthorized activity in Canvas on April 29.
- ShinyHunters claimed responsibility for the attack and threatened to leak 3.65 terabytes of sensitive data.
- The House Homeland Security Committee has published a letter to Daly seeking a briefing on the incident.
- Instructure has taken Canvas offline and revoked privileged credentials and access tokens for affected systems.
Source: CyberScoop