Instructure, schools recover from Canvas cyberattack

By Alvin Wu
Science and Technology
Instructure, schools recover from Canvas cyberattack

UMD Division of Information Technology (DIT) page providing updates on the Canvas cyberattack. ZFJ/Alvin Wu

COLLEGE PARK, Md., May 9 (ZFJ) — Instructure and impacted schools have been recovering from the Canvas defacement cyberattack on Thursday, May 7.

Data extortion group ShinyHunters defaced university Canvas instances on Thursday with a pay-or-leak ransom note following repeated failed attempts to get Instructure to negotiate a payment to prevent the release of data stolen from the company.

This cyberattack, which occurred during the end of the semester and finals season for many universities, meant students were no longer able to submit assignments or access course resources via Canvas. Many universities that had begun administering finals chose to postpone exams scheduled for Friday, May 8.

The defacement subsequently forced Instructure to place the platform under maintenance mode as its team worked to patch vulnerabilities in its infrastructure and an external digital forensics firm verified that no more unauthorized activity was ongoing.

In an incident update, Instructure said that the threat actor exploited an issue with Free-For-Teacher (FFT) accounts, which is a free service that allows instructors to create Canvas courses. The company has shut down FFT accounts pending a fix for the vulnerability.

Instructure has maintained its earlier position that the data that was initially compromised on April 29 includes names, email addresses, student ID numbers, and Canvas Inbox messages. The company says that the preliminary investigation has not uncovered the loss of passwords, dates of birth, government identifiers, or financial information.

The company reported that Canvas was once again available and safe to use for most users on Thursday at 21:17 MDT (11:17 p.m. EDT).

In the course of its incident response, the company revoked internal credentials, access tokens, and keys, and notified the FBI and Cybersecurity and Infrastructure Security Agency (CISA).

There has been no confirmation of whether or not Instructure paid the ransom. ZFJ editor-in-chief Alvin Wu checked the ShinyHunters data leak site and found that the company was no longer on the list of victims.

Data extortion groups, which are primarily financially motivated, use leak sites to publicly punish previous victims who refused to pay ransoms. As such, these gangs generally do not remove victims from their sites unless the victim has paid up, or at minimum, is negotiating a payment.

After being inundated with press inquiries, ShinyHunters posted on Saturday, May 9, that “We are not commenting and have no further comment to make regarding this global incident.”

It is presently unclear whether ShinyHunters will be proceeding with a data leak should they not be satisfied with payments by May 12. Should the data be leaked, it could be used to conduct highly targeted phishing attacks. The Canvas Inbox messages may also include sensitive information, such as communications with professors about personal situations, doctor’s notes, and accessibility accommodations.

The FBI Cyber Division posted a public service announcement on social media saying that it is aware of the incident.

The FBI recommended that people not pay ransoms or respond to the demands of anyone claiming to have their data due to the questionable legitimacy of criminals’ claims. The agency also warned people to be vigilant for phishing scams and recommended that they await formal guidance from their educational institution about the scope of the incident and the nature of the data that was compromised.

The PSA added that anyone who believes they have been impacted by the attack should file a complaint with the Internet Crime Complaint Center (IC3) at https://www.ic3.gov/.

UNIVERSITY OF MARYLAND, COLLEGE PARK (UMD)

The UMD Division of IT (DIT) restored access to Canvas on Friday (the last day of classes) at 11:10 a.m. following a security review.

In an FAQ page about the incident, DIT Security said that, while new logins were disabled when Canvas was initially brought back online Thursday evening, Canvas apparently cached (in other words, retained) information for people who had been logged in when the system went down. DIT commented, “UMD is still seeking further explanation from Instructure about why this happened.”

Some people saw an unfamiliar login page, and word spread quickly online that this page was fake and intended to harvest credentials. However, DIT Security has confirmed that it was an alternate login page that Canvas uses when some authentication systems are down, and UMD has no evidence that passwords entered in it were compromised. Anyone still concerned can change their password at https://password.umd.edu/.

Alternate UMD Canvas login page, provided to the ZFJ by a student. ZFJ/Alvin Wu Alternate UMD Canvas login page, provided to the ZFJ by a student and used with their permission. ZFJ/Witness

UMD will not be postponing final exams because reading day falls on Saturday this semester, so exams will begin on Monday as scheduled.

“This atypical schedule provides our students with an extra day of study, on Sunday, to mitigate the hours lost during the Canvas outage,” reads the FAQ page.

Students scheduled to complete finals with the Accessibility and Disability Service (ADS) are expected to report to their testing locations as originally scheduled.

UMD denies paying any ransom to the criminals.

DIT Security noted that it routinely contracts independent companies to test the security of university systems, and all Canvas data is downloaded and backed up on an archival server on a daily basis.

RUTGERS UNIVERSITY (RU)

The Rutgers Office of Information Technology (OIT) restored access to Canvas on Friday at 8:51 p.m. following a security review.

Communications from Jason Geary, provost of the New Brunswick campus, say no final exams could be administered on Friday, the second scheduled day of finals, since “Doing so is unfair to students who may not have had access to important study materials and who were told explicitly that today’s exams are postponed.”

In another message, Geary says that all exams postponed on Friday have been shifted to the same time on Sunday, May 10. The full updated exam schedule is available at https://scheduling.rutgers.edu/exam-scheduling/final-exams/.

In threads on the r/rutgers subreddit, students and faculty posted about the ensuing confusion from the exam postponement as well as disruptions to Mother’s Day plans, travel plans, and part-time work:

References