The Canvas Hack Is a New Kind of Ransomware Debacle

Wired describes the recent Canvas breach as an unusually disruptive ransomware-style extortion incident because one attack on Instructure's learning platform temporarily paralyzed thousands of schools during finals and end-of-year assignments. The hackers using the "ShinyHunters" name claim more than 8,800 schools were affected, while Instructure says exposed data included names, email addresses, student ID numbers, and platform messages. From the report: Higher education has long been a target of ransomware gangs and data extortion attacks. But never before, perhaps, has a cyberattack against a single software platform so thoroughly disrupted the daily operations of thousands of schools across the United States. The widely used digital learning platform Canvas was put into "maintenance mode" on Thursday after its maker, the education tech giant Instructure, suffered a data breach and faced an extortion attempt by attackers using the recognizable moniker "ShinyHunters." Though the hackers have been advertising the breach and attempting to extract a ransom payment from Instructure since May 1, the situation took on additional immediacy for regular people across the US and beyond on Thursday because the Canvas downtime caused chaos at schools, including those in the midst of finals and end-of-year assignments.

Universities like Harvard, Columbia, Rutgers, and Georgetown sent alerts to students about the situation in recent days; other institutions, including school districts in at least a dozen states, also appear to have been affected. In a list published by the hackers behind the attack on their ransom-focused dark web site, they claim the breach affected more than 8,800 schools. The exact scale and reach of the breach is currently unclear, though. And the fact that Canvas was down throughout Thursday afternoon and evening further complicated the picture. In a running incident update log that began on May 1, Steve Proud, Instructure's chief information security officer, said that the company had "recently experienced a cybersecurity incident perpetrated by a criminal threat actor." He added on May 2 that "the information involved" for "users at affected institutions" included names, email addresses, student ID numbers, and messages exchanged by users on the platform.

The situation was ultimately marked as "Resolved" on Wednesday, with Proud writing that "Canvas is fully operational, and we are not seeing any ongoing unauthorized activity." At midday on Thursday, though, the Instructure status page registered an "issue" where "some users are having difficulties logging into Student ePortfolios." Within a few hours, the company had added another status update: "Instructure has placed Canvas, Canvas Beta and Canvas Test in maintenance mode." Late Thursday evening, the company said that Canvas was available again "for most users."

TechCrunch reported on Thursday that the hackers launched a secondary wave of attacks, defacing some schools' Canvas portals by injecting an HTML file to display their own message on the schools' Canvas login pages. According to The Harvard Crimson, attackers modified the Harvard Canvas login page to show a message that included a list of schools that the hackers claim were impacted by the breach. The message from attackers "urged schools included on the affected list to consult with a cyber advisory firm and contact the group privately to negotiate a settlement before the end of the day on May 12 -- or else risk their data being leaked," The Crimson reported. "It is unclear what information tied to Harvard affiliates was included in the alleged breach."

Wordpress and cPanel are awesome

[bleedingobvious]

....if you want this sort of garbage

Maybe ignoring the critical update advice was a bad decision?

Re:

[93 Escort Wagon]

I could be wrong, but I have to go into Canvas every once in a while... and it feels more like one of those Angular / React type single-page-on-top-of-a-Javascript-framework sort of web apps.

Re:Wordpress and cPanel are awesome

[i.r.id10t]

Ruby on Rails.

Core product is also Free Software (AGPL) but most choose to use Instructure's hosting because of all of the extensions and 3rd party integrations they deal with automatically for you, not to mention the actual hosting needs (disk space, etc)

Re:Wordpress and cPanel are awesome

[jpellino]

Each LMS has some amazing features and some features that make you want to go back to stone tablets.
Canvas was the first LMS we used. They always spoke about report card creation, but we got tired of waiting.
So another platform after a decade. Which swore they could import standard LMS exported content, but nope.
Back then it was a choice between roll-your-own Moodle, branded/hosted Moodle, Blackboard - experienced users said please no - and Canvas.
We were impressed by the test and backup instances, and that they were willing to try moving into K-12.
And that Canvas was built as a project after gauging dissatisfaction with existing platforms. Mostly Blackboard.
Problem? Invoke your backup instance. Not sure how something is going to fly? Try the test instance.
Working with others who have had Google Classroom - still no test instance, backups are third party, no student view.
Yes, the core of GC is free, but you're still getting mission-critical software from an ad company.
I've not kept up since we switched, but as bad as this is, this is an impressively long time to go without a crippling event.

This is a systemic problem, not an isolated one

[Arrogant-Bastard]

1. A few decades ago, universities/colleges ran their own IT infrastructure: email, web, applications, etc. But grossly-overpaid administrators decided that competent, experienced IT staff making far less were expendable and they began outsourcing everything they possibly could -- because, of course, reducing the number of administrators and their compensation was never an option.

The consequences of that are now here. What were 8,000 targets are now: 1. And this isn't the only such application -- for example, much the same thing is true of email. And thus attackers now have luxury of focusing their efforts on a single target andl leveraging that into extortion against 8,000. None of the clueless, selfish, ignorant administrators responsible for this debacle will admit any responsibility -- ever. They're too busy enjoying their mansions while graduate students struggle to afford ramen for breakfast, lunch, and dinner, and junior faculty are forced to moonlight in order to make ends meet.

2. Instructure is following the standard playbook here: lie, lie, lie. They're doing that because they know they can and because no will ever hold them accountable. It's clear from what we already know that this was a very thorough hack, Instructure knows it was a very thorough hack, and they're doing everything they can to hide that fact. And as a result of that, they're deliberately making it impossible for everyone at those 8,000 institutions to understand what really happened and to take appropriate defensive measures (if any, if possible). Instructure isn't in the least bit concerned about the damage done to all the students and faculty; Instructure only cares about itself.

Re:This is a systemic problem, not an isolated one

[93 Escort Wagon]

=And this isn't the only such application -- for example, much the same thing is true of email.

And HR (Workday). And purchasing (Workday again).

Re:

[nightflameauto]

=And this isn't the only such application -- for example, much the same thing is true of email.

And HR (Workday). And purchasing (Workday again).

And Payroll (UKG/UKG Wallet).

Re:This is a systemic problem, not an isolated one

[bradley13]

Your comment about administrators is absolutely right.

I'm in Europe, where the problem is less pronounced. Still, over the last 20 years, the ratio of non-teaching staff to teaching staff has gone from 2:3 to 3:2. Those numbers don't look dramatic, but consider: It used to be that 100 teaching staff had 66 admin staff. Now that same 100 teaching staff have 150 admin staff, so 2.5 times as many. Not that our teaching loads have been reduced - much the contrary - our classes are now larger. You have to fund the bloat somehow.

I am reminded of the famous quote: "The bureacracy is expanding, to meet the expanding needs of the bureaucracy."

Re:

[Ol Olsoc]

Your comment about administrators is absolutely right.

I'm in Europe, where the problem is less pronounced. Still, over the last 20 years, the ratio of non-teaching staff to teaching staff has gone from 2:3 to 3:2. Those numbers don't look dramatic, but consider: It used to be that 100 teaching staff had 66 admin staff. Now that same 100 teaching staff have 150 admin staff, so 2.5 times as many. Not that our teaching loads have been reduced - much the contrary - our classes are now larger. You have to fund the bloat somehow.

Reminds me of the place I retired from. Once upon a time, there was around a 1:1 ratio of engineers/scientists to support aides. It ended up morphing into a 5:1 ratio.

But next came the bean counter boom. What was once handled well by a small group, became the largest division in the institute. And always demanding more accountants. They even embedded accountants in the other groups after sucking up every cent of the overhead money. That way they could suck up more money yet.

Weirdly enough, I ended up

Re:

[bad-badtz-maru]

I don't remember where I read this phrase, but "administration begets administration".

Re:This is a systemic problem, not an isolated one

[eepok]

The more a university transitions to a student-focused, all-compassing city from a simple "school", the more non-teaching employees you need.

Want to go have a cleaner electrical grid than your surrounding area? Well, you'll need a power plant, energy manager, many technicians, etc.
Want a ton of greenery and trees? Well, you'll need landscapers, arborists, etc.
Want on-campus healthcare limited to the students? Well, you'll need doctors, nurses, healthcare admins, etc.
Want campus housing? Well, you'll need housing administrators, housing-specific custodians, etc.
Want to park on campus, but make sure parking meets current demands? Then you'll need a permitting system, permit enforcement, etc.

And on and on and on. Wants take work. Work requires people. People require wages.

Re:

[phantomfive]

Managers are largely judged based on how many people they've managed. The larger the number of people, the better. Thus their entire incentive structure is based on hiring new people below them, whether those people are useful or not.

Re:

[drinkypoo]

I agree that this centralization is a big problem, but there's another one — all of the things which don't really benefit from being computerized, which are done on the computer anyway.

As you allude, the real problem with education is how administrators and consultants are sucking up all the cash. Once again, privatization is a huge problem when mixed into a government function. If the government cannot perform a function without some job being done, that job should be a government job. This is both s

Re:

[noshellswill]

**Government shouldn't be funding private enterprise.** Since when ? Egyptian pyramid builders were private contractors, paid by pharaoh. Who do you think owned the Athenian navy? Tax collectors were private enterprises, financed by the Roman government that took its cut of revenue. Dutch city-states where merchants literally owned the government? Brit East India Company. USA railroad expansion in the West was financed by "generous" government set-asides of (Indian) land for company shareh

Re:

[eepok]

That's a big, tangential rant there.

None of the clueless, selfish, ignorant administrators responsible for this debacle will admit any responsibility -- ever. They're too busy enjoying their mansions while graduate students struggle to afford ramen for breakfast, lunch, and dinner, and junior faculty are forced to moonlight in order to make ends meet.

So... where are you a grad student?

Re: This is a systemic problem, not an isolated on

[sziring]

Not sure what you are referencing exactly but while they hosted locally they often ran bundled software front end (think local Salesforce) with Oracle backends. I'm referring to 94-06 timeframe. Earlier doesn't count as most weren't online or didn't have those dependencies. I doubt very much if most built their own from scratch. I worked for a medium sized University. Def needed admins and db admins but good luck trying to have them show up on a weekend or night if it wasn't scheduled well in advance.

Proud

[cascadingstylesheet]

In a running incident update log that began on May 1, Steve Proud, Instructure's chief information security officer, said that the company had "recently experienced a cybersecurity incident perpetrated by a criminal threat actor."

Steve must be so proud.

Re:Proud

[RobHart]

It is a much larger problem that just the USA. Here in Australia it has shutdown the Queensland Education department learning site, several Queensland universities as well as universities in other sites and state education learning systems.
https://www.abc.net.au/news/20... [abc.net.au]

Re:

[Ol Olsoc]

It is a much larger problem that just the USA.

Correct - but remember that this is Slashdot.

Don't people know not to pay?

[bradley13]

Ransomware would completely die out, if people simply refused to pay. No profit to be had, criminals would spend their time elsewhere.

As encouragement, paying ransom should simply be illegal, with severe personal penalties for any administrator or managers who approves such a payment.

Re:

[NotEmmanuelGoldstein]

CEOs and shareholders would lobby their politicians to kill that bill before its first reading. The whole point of corporations is giving massive amounts of capital and labour to a sociopath with limited responsibilities to the labourers and shareholders.

The alternative is, company shares sinking through the floor, the first time they employ a discount expert to handle IT operations and security: Then, the CEO being fined for the incompetence of his employees. No career CEO is going to allow principles

Re:

[battingly]

Making the ransomware payments illegal is the _only_ solution. We've endured years of attacks and the idea that this will be solved by organizations bolstering their defenses has proven to be a fallacy.

Making the ransomware payments illegal would not only cause the rewards for the cybercriminals to dry up, it will also remove the lazy solution that many organizations are relying upon (paying the ransom), instead of bolstering their defenses.

Re:

[pooh666]

This seriously deserves an Insightful!!!

How is this a "new kind"?

[balaam's ass]

Do they just mean the *scale* and how it affected so many *schools*? I don't really see anything new about this ransomware attack, but maybe I'm missing something. Please help me understand. .

single point of failure

[noshellswill]

Canvas ? An un-needed single point of failure needed for administering ... just what? Truth is CANVAS was not needed, but desired as a centralization tool. Individual profs can't keep everything in their own personal hand-written logbook ... like every faculty I ever worked with. I mean, a university is just a collection of knowledgemasters funded by wealthy patrons of arts & sciences ... right ? Wonder who gets fired for this systematic centralization error ?

I'm just waiting till the ai finishes looking at t

[reg]

I know it's kind of off topic, but there's going to be some fun when whatever groupstole [thehackernews.com] the trellix/McAfee/fireeye code gets done looking for holes (and you know they're there...). We're going to have a massive breach across millions of corporate desktops.

Are they even trying anymore?

[Todd Knarr]

I have to ask, are these platforms even trying to secure their systems anymore? Because I keep seeing of more and more of these breaches, involving more and more platforms, and the attacks are less and less sophisticated. I hear companies talk and talk about security, yet their day-to-day practices require their employees and contractors to violate practically every good security practice and treat the red flags of an attack as normal company practice instead.

Occam's Razor no longer applies, because at this

Re:Are they even trying anymore?

[PPH]

Remember the scene in War Games where Lightman, sent to the principal's office, obtains the school's admin password from a sticky note on a desk?

That was over 40 years ago and not much has changed since then.

Re:

[wwphx]

I was a network admin at a police department back in the '90s. I had three fake passwords taped to the bottom of my keyboard, they didn't do anything. Sadly, no one ever remarked on them.

Re:

[Todd Knarr]

The sticky note under the keyboard or in a desk drawer is actually pretty secure. Most attacks are remote, they've no way to read that note. The social-engineering attacks don't target people who'd go to your desk either, they either target you directly (you already know your password) or support people who don't need to know your password to give them access.

Re:

[sjames]

I'm sure they're vibe coding as fast as they can!

This should be impossible

[peterww]

Ransomware attacks are only possible if you have no backup of your data or infrastructure. They depend entirely on the idea that the attacker can steal all of your data, delete it all from your servers, and you have no way to get it back.

This should never be possible for any responsible business. Yet this happens to organizations all the time, and it seems like there's no punishment for this at all, or recourse for people affected by it.

We need to make a software building code that enforces doing the right thing for all online businesses. It would be the same as the building code, electrical code, and fire code that we require businesses comply to for the safety of the people at those businesses and their customers.

AI is only going to make these attacks happen more frequently. We must have a legal regulation that forces businesses to do what they should have been doing already.

Re: This should be impossible

[reanjr]

Not necessarily true. You might have backups that will take a week to rollback to. It may be worth it for your organization to just pay and avoid the lost revenue and potential loss of trust.

Re:

[Anonymous Coward]

The ransom penalty here is public disclosure of information. I don't know how punishing this might be to Instructure or the various universities, but it seems like a credible threat.

Why is ...

[PPH]

... the data for 8800 institutions stored in one bucket/cloud account? I can understand a model where Instructure licenses their Canvas app to all its clients. But shouldn't Step 1 be: Install your local server or lease space on your preferred cloud provider. Step 2: Secure this storage space with your own password. Step 3: Don't forget to insert the backup Zip Disk in its drive.

Re: Why is ...

[reanjr]

You might as well ask why websites use one MariaDB password to secure all their customers.

Re:

[PPH]

True.

But I'll bet it has something to do with the db admin, having had previous experience in the position, just said to himself, "I'm not going to spend the rest of my career resetting passwords for a few hundred users too stupid to swipe a Post-it from the secretary."

Re:

[eepok]

But shouldn't Step 1 be: Install your local server or lease space on your preferred cloud provider. Step 2: Secure this storage space with your own password. Step 3: Don't forget to insert the backup Zip Disk in its drive.

That costs more money to implement, maintain, significantly increases in cost due to wage increases, and internalizes liability there by exposing the university to lawsuits.

Ah hah.

[kellin]

This puts a bit more light on what happened in the afternoon yesterday. Wife tried to log in to canvas to do the hours for her week of fieldwork to find a weird looking screen. she initially thought she'd got hacked or something.

Crazy it affected so many schools. I'll just say this was for Pasadena City College in Los Angeles.