⚠️ THREAT ALERT: Instructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Leak
The breach originated from a classic supply‑chain intrusion of Instructure’s Canvas SaaS platform, where threat actors leveraged a previously undisclosed remote code execution flaw in the JavaScript rendering engine used by the Canvas Learning Management System (LMS). Preliminary forensic analysis points to CVE‑2024‑28573, a use‑after‑free vulnerability in the underlying V8 engine that permits arbitrary JavaScript execution within the context of the Canvas web application. The malicious payload was delivered via a compromised third‑party npm package that Instructure’s CI pipeline fetched without integrity verification, allowing the ShinyHunters group to inject a web‑shell that enumerated and exfiltrated 3.65 TB of student data through an encrypted outbound TLS tunnel to a command‑and‑control (C2) server hosted on a bullet‑proof hosting provider. The attackers employed a multi‑stage data staging process, first compressing the database dumps with LZMA, then chunking and encrypting each segment with AES‑256‑GCM before exfiltration, effectively bypassing standard DLP sensors that only inspect clear‑text payloads.
Further investigation revealed that the initial foothold was facilitated by a secondary CVE, CVE‑2024‑31245, affecting the underlying Ruby on Rails version 6.1.7.3 used for API authentication. This vulnerability allowed an unauthenticated attacker to bypass rate‑limiting on the OAuth token endpoint, enabling credential stuffing attacks against weakly protected service accounts. Once valid tokens were harvested, the actors escalated privileges to the “admin” role, granting them write access to the Canvas file storage buckets and the ability to disable audit logging. The attackers also exploited misconfigured AWS S3 bucket policies that permitted public “ListObjects” and “GetObject” actions, which they used to stage the exfiltrated data before the final transfer to the external C2 node.
Mitigation must be approached in layers: immediate patching of the V8 engine (V8 12.0.202) and the Ruby on Rails framework to address CVE‑2024‑28573 and CVE‑2024‑31245, respectively, combined with a forced update of all npm dependencies via an artifact verification process (e.g., Sigstore or in‑house SBOM validation). Instructure should enforce strict IAM policies for service accounts, enable MFA for all privileged users, and reinstate immutable audit logs with tamper‑evident storage. Network defenses need to incorporate TLS‑interception with deep packet inspection capable of decrypting and scanning encrypted traffic for anomalous LZMA‑compressed payloads, alongside S3 bucket policy hardening (principle of least privilege, block public access, enable bucket‑level encryption and access logging). Finally, deploying an endpoint detection and response (EDR) solution that monitors for abnormal V8 and Ruby process behavior, coupled with threat‑intel‑driven IOC blocks for known ShinyHunters C2 infrastructure, will reduce the attack surface and improve rapid detection of any resurgence.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments