When Hackers Pick the Worst Possible Time

A company called Instructure just got hit with a cyberattack. They run Canvas, which is the platform a lot of schools and colleges use for grades, assignments, and online classes. The attack happened during finals week and knocked the system offline right when students and teachers needed it most. The timing almost certainly wasn't random. When a system is critical, and people are stressed, the pressure to pay the ransom to make it stop increases significantly. That's what attackers count on. What's interesting is how it actually played out.

The first attack likely came in through Canvas's free-for-teachers program, where anyone can sign up for an account. Instructure revoked that access and thought they had it contained. Then the same hacker group, ShinyHunters, came back a second time using a different method. They found cross-site scripting vulnerabilities, which let them inject malicious JavaScript into web pages that users would load in their browsers. Once admins opened those pages, the hackers were able to hijack their sessions and use those credentials to get back into the Canvas login portals. The goal of the second attack was to add more pressure on Canvas to pay the ransom, which has not been publicly disclosed.  

For regular users, a few simple habits really increase security. Turn on multifactor authentication wherever it's offered, don't reuse passwords across important accounts, and be careful with emails that try to rush you into clicking something. None of this information is fancy, but it's what keeps small problems from turning into big ones.