CySecurity News - Latest Information Security and Hacking Incidents, EN

Hackers Attack School Login Pages After Another Instructure Breach

 

Instructure attacked 

Last week, edtech giant Instructure reported a data breach where threat actors stole students’ personal data: names, email addresses, and conversations between students and teachers.

Hackers compromised Instructure again, destroying various schools’ login sites to the platform Canvas. Canvas allows schools to handle coursework and assignments and talk with the students. 

ShinyHunters claim responsibility

Cybercrime gang ShinyHunters published a message on Canvas login pages of three distinct schools. An analysis of the compromised portals reveal that the hackers deployed an HTML file that compromised the login screens to show their message.  

According to the message, the hackers have threatened to leak the stolen data on May 12, if the organization does not settle the negotiations. 

Instructure’s website was partially online, and returned “too many requests” error. The organization’s portal showed a notice that said it was “currently undergoing scheduled maintenance.” 

Instructure has not replied to TechCrunch’s request for a comment. 

Attack tactic 

Earlier, ShinyHunters claimed accountability for the real hack, publishing it on its leak site, a website that threat actors use to post stolen data and blackmail victims into paying heavy ransoms. The aim is to extort Instructure into paying by not leaking the information on the web publicly.

How threat actors compromised the login pages is still not clear. In a conversation with TechCrunch, ShinyHunter said that they couldn’t give specific details but said that this is a second breach.
Extortion and data theft
After the original breach at Instructure, threat actors claimed to have extorted information from 9,000 schools globally. The stolen files allegedly comprised data of 231 million people.
ShinyHunters gang has attacked scores of victims in the last two years, using the same attack tactic: hack, leak, and extort. 

This took place in a unique hacking campaign, where an anonymous group of threat actors attacked systems already infected by an infamous hacking group called TeamPCP. Once the hackers gained access into these systems. After that, they removed TeamPCP hackers and turned off their tools, according to a report by cybersecurity firm SentinelOne.  

The impact 

Following this, the threat actors use their access to install code built to replicate across distinct cloud infrastructure such as a self-spreading worm, steal different credentials, and send the stolen data back to their infrastructure.  

TeamPCP is a criminal gang that has made headlines in recent times. It is due to their high-profile hacks– a broadcast cyberattack against highly used bug scanner tool Trivvy, a breach of the European Commission’s cloud infrastructure, which impacted any organization that used it: LiteLLM and AI recruiting startup Mercor, besides others.

This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents

Read the original article: