Hackers Steal Students’ Data During Breach at Education Tech Giant Instructure

Article Link: https://techcrunch.com/2026/05/05/hackers-steal-students-data-during-breach-at-education-  tech-giant-instructure/

• Instructure confirmed a data breach involving its Canvas platform, with ShinyHunters claiming responsibility.
• The group claims to have carried out a large-scale data theft affecting thousands of schools, as part of an ongoing campaign focused on stealing data and extorting victims by threatening to leak stolen information.
• The stolen data includes student names, ID numbers, email addresses, and messages between students and teachers. In some cases, phones numbers were also included.
• ShinyHunters claims to have accessed data on over 275 million individuals across nearly 9,000 schools, though the group is known to exaggerate figures to increase media attention and pressure victims.
• The exposure of student, teacher, and staff data increases long-term privacy and security risks, particularly if the information is publicly leaked or reused in phishing and social engineering attacks.

DigiCert Revokes Certificates After Support Portal Hack

Article Link: https://www.securityweek.com/digicert-revokes-certificates-after-support-portal-hack/

• DigiCert disclosed a cyberattack in which attackers used its support portal access to steal extended validation (EV) code signing certificates. Sixty of these certificates were revoked over 25 used to sign malware.    
• The attacker delivered malware to DigiCert’s support team by disguising it as screenshots via customer chat. They then used the malware to compromise support staff member’s systems and leveraged support features to access customer accounts and certificate initialization codes.
• The attackers maintained access to one of the compromised systems for nearly 2 weeks due to security tooling not functioning properly on the system.
• The compromised EV code signing certificates allowed malicious actors to make malware appear legitimate, allowing it to bypass security tools.
• DigiCert revoked all affected certificates, cancelled pending orders, and improved their security controls to address the hack. This included implementing MFA for administrative workflows, limiting support permissions, restricting file uploads in chat, and enhanced logging and monitoring.

Critical cPanel Flaw Mass-Exploited in “Sorry” Ransomware Attacks

Article Link: https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/

• A critical vulnerability in cPanel and WHM is being exploited to compromise servers and deploy “Sorry” ransomware with over 40,000 systems being affected.
• The vulnerability allows authentication bypass, giving attackers unauthorized access to hosting control panels. Once inside, attackers deploy ransomware to encrypt files and drop ransom notes demanding payment.
• This campaign is causing websites to be taken offline, encrypting data with strong encryption that makes decryption difficult, and resulting in hundreds of compromised sites being publicly indexed.
• Security updates are available, but exploitation is ongoing and continues to grow. Unpatched systems remain highly vulnerable to data loss, downtime, and potential extortion.

Microsoft Edge Stores Passwords in Process Memory, Posing Enterprise Risk

Article Link: https://www.darkreading.com/cyber-risk/microsoft-edge-passwords-enterprise-risk

• Microsoft Edge stores saved user passwords unencrypted in process memory, even when the password is not actively in use. While an attacker would need administrator access to retrieve them, this means credentials from any user who has saved passwords in Edge on the system could be exposed.
• This is due to a design choice by Microsoft that prioritizes performance and convenience, allowing Edge to preload credentials for faster sign-ins.
• A single compromised administrator account could expose passwords for multiple users enabling lateral movement, account takeover, and further attacks.
• The use of Edge to store passwords may give users a false sense of security as they must enter a password to view saved credentials. This protection is bypassed at the system level. In contrast, browsers like Chrome and Firefox decrypt passwords only when needed.
• Relying on Edge to store passwords becomes higher risk, especially in enterprise environments. Organizations should restrict password storage in Edge and use dedicated password managers where possible to ensure stronger isolation.

Former Incident Responders Sentenced to 4 Years in Prison for Committing Ransomware Attacks

Article Link: https://cyberscoop.com/incident-responders-ryan-goldberg-kevin-martin-sentenced-ransomware/

• Two former cybersecurity professionals at Sygnia and DigitalMint were sentenced to four years in prison for carrying out attacks using BlackCat ransomware. They collaborated with a third industry professional, a ransomware negotiator, who operated a broader, more extensive scheme.
• The group breached organizations, encrypted systems, stole data, and extorted victims. In some cases, they were assigned to respond to the incidents, allowing the negotiator to exploit his position to maximize payouts.
• Their attacks targeted multiple U.S. organizations, including healthcare and engineering firms, resulting in at least $1.3 million in ransom payments, operational disruption, and exposure of sensitive data, including patient information.
• The case underscores the need for strict oversight, clear separation of duties, and strong visibility into incident response teams.

Azure AD Security Bypass Exploits Phantom Device Registration and PRT Abuse

Article Link: https://cyberpress.org/azure-ad-security-bypass-exploits-phantom-device-registration-and-prt-abuse/

• A red team exercise demonstrated a proof of concept for fully bypassing Microsoft Entra ID conditional access. This exploit would allow an attacker with just one valid credential to gain high-level access, including Global Administrator, without malware or endpoint compromise.
• The attack exploits gaps in the trust chain between device registration and identity services, enabling the registration of a “phantom” device through the Device Registration Service. Attackers can then obtain a Primary Refresh Token, which satisfies compliance checks in Microsoft Intune.
• Weaknesses such as Conditional Access policies left in report-only mode, insufficient validation during device registration, and misconfigured compliance logic allow attackers to impersonate a trusted device and bypass protections.
• This proof of concept highlights critical identity security risks and underscores the need to enforce Conditional Access policies, implement hardware-backed device validation, and maintain strict controls over privileged accounts.
• Additional information: https://www.cyderes.com/howler-cell/azure-ad-conditional-access-device-identity-abuse

Palo Alto Networks Warns of Firewall RCE Zero-Day Exploited in Attacks

Article Link: https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-actively-exploited-firewall-zero-day/

• Palo Alto Networks disclosed a critical zero-day vulnerability in its PAN-OS User-ID Authentication Portal that is actively being exploited in the wild.
• The flaw is a buffer overflow in the portal that allows unauthenticated attackers to execute arbitrary code remotely with root privileges, particularly on firewalls exposed to the internet.
• Successful exploitation gives attackers full control of affected firewalls, enabling them to compromise the network, manipulate traffic, and move laterally into internal systems.
• As a patch is not yet available, organizations are strongly advised to restrict portal access to trusted internal networks only or disable the feature entirely.
• Additional information: https://security.paloaltonetworks.com/CVE-2026-0300

AI Adoption Outpaces Safety Policies, Leaving Organizations Exposed to Cyber Risk

Article Link: https://www.infosecurity-magazine.com/news/ai-adoption-outpaces-safety-policy/

• New ISACA research found widespread enterprise AI adoption without matching governance controls. While 90% of respondents say employees use AI tools, only 38% of organizations have comprehensive AI policies.
• Weak AI governance is creating situations where employees use unsanctioned AI and LLM tools outside the oversight of security teams. This increases the risk of sensitive data exposure, privacy violations, data poisoning, and unmanaged AI-related incidents.
• More than half of respondents said they do not know how long it would take to disable an AI system during a security incident. The report also highlighted leadership and governance gaps, including low confidence in boards’ understanding of AI risks.
• Respondents said AI is making cyber threats harder to detect and manage, particularly AI-powered phishing and social engineering attacks. Many also reported declining confidence in traditional threat detection methods.
• Just under half of respondents said AI-powered cybersecurity tools improved threat detection and response capabilities, reinforcing the need for stronger governance, privacy controls, and responsible AI oversight to balance innovation with security.