Canvas Breach Crisis, PANOS ZeroDay Exploited, Teams Credential Heist

DMARC Report Canvas Breach Crisis, PANOS ZeroDay Exploited, Teams Credential Heist Play Episode Pause Episode

Mute/Unmute Episode Rewind 10 Seconds 1x Fast Forward 30 seconds 00:00 / 2:29

Subscribe Share

RSS Feed Share Link Embed

This past week was one of the most turbulent in recent memory for the cybersecurity world. From a brazen ransomware assault on millions of students just ahead of finals, to a critical unpatched firewall flaw putting Fortune 500 companies at risk, to a nation-state group disguising espionage as a ransomware attack, the threat actors were busy. Here’s your full roundup.

ShinyHunters Holds 275 Million Students Hostage via Canvas Breach

The hacking group ShinyHunters claimed responsibility for a major breach of Instructure’s Canvas learning management platform, which was used to manage grades, course notes, assignments, and lecture videos across thousands of schools. Instructure said it first detected unauthorized activity on April 29. After noticing the intrusion, it revoked the attacker’s access and brought in outside forensic experts. On May 5, it notified impacted schools. Then on May 7, it found more unauthorized activity tied to the same April 29 incident, this time, someone had changed the login pages students and teachers see when accessing Canvas. 

If Instructure didn’t pay up, the hackers threatened to leak “several billions of private messages among students and teachers.” The group told Instructure to reach out by May 6 before they would begin leaking data, warning the company to “make the right decision.” ShinyHunters subsequently escalated the campaign by defacing school login portals with ransom messages. The timing, right before final exams, added maximum disruption pressure on institutions. 

DMARC and email authentication won’t directly stop a platform breach of this scale, but they remain crucial in the inevitable wave of phishing emails that follow any major incident, fake “urgent account notices” that prey on panicked students and parents.

Critical Palo Alto PAN-OS Zero-Day Under Active Exploitation

A critical buffer overflow vulnerability in the User-ID Authentication Portal service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets. The flaw is tracked as CVE-2026-0300 and carries a CVSS score of 9.3.

CISA ordered federal agencies to fix the vulnerability by May 9, 2026, and added CVE-2026-0300 to its Known Exploited Vulnerabilities catalog. The patched software releases are scheduled in a staggered rollout between May 13 and May 28, depending on the specific PAN-OS version branch in use. In the meantime, administrators are strongly urged to restrict access to the User-ID Authentication Portal to trusted internal network zones only, or to disable it entirely if it is not strictly required.

PAN-OS firewalls are widely deployed in enterprise environments, making this one of the most urgent vulnerabilities of the year so far.

Iranian State Hackers Use Microsoft Teams to Steal Credentials in False Flag Attack

The Iranian state-sponsored hacking group known as MuddyWater has been attributed to a sophisticated attack that used Microsoft Teams to steal credentials and manipulate MFA in what Rapid7 described as a “false flag” operation designed to look like a Chaos ransomware attack.

Rather than deploying file-encrypting ransomware, the threat actors engaged with victim employees via Microsoft Teams, establishing screen-sharing sessions to steal credentials and compromise accounts. They also performed reconnaissance, credential harvesting, and data theft, operations typical of espionage, not financial crime.

The campaign’s links to MuddyWater stem from a code-signing certificate attributed to “Donald Gay,” which has previously been used by the threat cluster to sign its malware. Security experts warn that Teams-based social engineering attacks are surging in 2026, and employees should be deeply skeptical of any unsolicited IT support request arriving through the platform.

CISA Launches “CI Fortify” to Protect Critical Infrastructure from Nation-State Cyberattacks

The federal government’s top cybersecurity agency warned that state-sponsored hackers, particularly two Chinese groups known as Salt Typhoon and Volt Typhoon, continue to threaten critical sectors like electricity, water, and internet. In response, CISA launched CI Fortify, an initiative designed to ensure essential service providers can continue operating even during an active cyberattack.

The guidance focuses on two emergency planning objectives: isolation and recovery. Isolation involves proactively disconnecting from third-party and business networks to safeguard operational technology. Recovery involves documenting systems, backing up critical files, and practicing the replacement of systems or transitioning to manual operations in case a cyberattack shuts down critical infrastructure.

CISA’s acting director noted that artificial intelligence is also a primary concern driving the pivot to CI Fortify, given the increasing speed at which AI is changing and morphing the types of impacts defenders face across both critical infrastructure andoperational technology. 

AI-Guided Hacker Compromises Municipal Water Utility in Mexico

Incident response firm Dragos reported that a hacker used an AI model to compromise a municipal water and drainage utility in Monterrey, Mexico. While full details of the intrusion remain limited, it is one of the first publicly confirmed cases of an attacker leveraging AI to guide an attack on public water infrastructure, a chilling signal of what defenders are up against in 2026.

The incident underscores how AI is no longer just a tool for defenders; attackers are now using it to accelerate reconnaissance, identify vulnerable entry points, and move through operational technology networks that control critical public services. CISA’s CI Fortify initiative, launched the same week, is directly relevant to threats of this kind.

Cushman & Wakefield Hit by ShinyHunters, 500,000 Salesforce Records Exposed

Global real estate services giant Cushman & Wakefield became a victim of a cyberattack carried out by the ShinyHunters ransomware group. The attack exposed over 500,000 Salesforce records, including personally identifiable information and other internal corporate data.

The breach adds to an alarming pattern: ShinyHunters is running simultaneous high-profile campaigns across education, healthcare, corporate, and cloud sectors. Their targeting of Salesforce customer records highlights how third-party CRM platforms, often trusted as the source of truth for customer data, are becoming premium targets for cybercriminals looking to harvest large volumes of PII in a single operation.

Microsoft Warns of Large-Scale Phishing Campaign Targeting 35,000 Users

Microsoft researchers warned of a large-scale phishing campaign using fake compliance emails to steal credentials, targeting35,000 users across 13,000 organizations worldwide. The campaign used official-looking messages that mimicked regulatory compliance notifications, a tactic designed to trigger urgency and bypass a recipient’s skepticism.

This is exactly where DMARC enforcement becomes a frontline defence. When domains are properly protected with DMARC, SPF, and DKIM policies set to reject, attackers cannot send spoofed emails from your domain. Organizations without DMARC enforcement leave themselves, and their customers, vulnerable to impersonation at scale.

GitHub RCE Flaw Could Have Exposed Millions of Private Repositories

Cybersecurity researchers from Wiz disclosed a critical security vulnerability affecting GitHub.com and GitHub Enterprise Server that could allow an authenticated user to obtain remote code execution with a single “git push” command. The flaw, tracked as CVE-2026-3854 with a CVSS score of 8.7, involved push option values that were not properly sanitized before being included in internal service headers.

In the case of GitHub Enterprise Server, exploitation would have allowed a full server compromise and access to all repositories and internal secrets. On GitHub.com, it allowed remote code execution on shared storage nodes, with millions of public and private repositories accessible on the affected nodes. GitHub deployed a patch within six hours of responsible disclosure and confirmed no exploitation occurred in the wild before the fix was applied.

Linux Kernel “Dirty Frag” Vulnerability Discovered, Successor to “Copy Fail”

Details have emerged about a new, unpatched local privilege escalation vulnerability impacting the Linux kernel, dubbed “Dirty Frag.” It has been described as a successor to “Copy Fail” (CVE-2026-31431), a recently disclosed flaw that has since come under active exploitation. The vulnerability achieves root privileges on most Linux distributions by chaining two page-cache write vulnerabilities together.

What makes Copy Fail particularly dangerous is that it works 100% of the time, unlike most local privilege escalation bugs that tend to be probabilistic in nature. The underlying bug traces back to a 2017 kernel update originally intended to speed up data encryption, meaning all major Linux distributions from 2017 onward are impacted. With Dirty Frag now emerging as a successor, Linux administrators have a serious new threat to contend with.

PCPJack Credential Stealer Worms Across Cloud Infrastructure

Cybersecurity researchers disclosed details of a new credential theft framework called PCPJack that targets exposed cloud infrastructure and removes any artifacts linked to TeamPCP from the environments. The toolset harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates data through attacker-controlled infrastructure while attempting to spread to additional hosts.

PCPJack specifically targets services like Docker, Kubernetes, Redis, MongoDB, and RayML, spreading in a worm-like fashion across compromised networks. Researchers at SentinelOne assess that the ultimate goal of the campaign is credential theft, fraud, spam, extortion, or the resale of stolen data on criminal marketplaces.

MOVEit Automation Critical Authentication Bypass Patched

Progress Software released updates to address two security flaws in MOVEit Automation, including a critical bug that could result in an authentication bypass. MOVEit Automation is a secure, server-based managed file transfer solution used to schedule and automate file movement workflows in enterprise environments.

MOVEit became infamous following the 2023 mass exploitation that impacted hundreds of organisations globally. The fact that new critical vulnerabilities are still emerging in the product, and that organisations continue to use it, makes patching especially urgent. Any unpatched MOVEit instance is a high-value target.

Vishing-Based Cybercrime Groups “Cordial Spider” and “Snarky Spider” Ramp Up SaaS Attacks

Two cybercrime groups tracked as Cordial Spider and Snarky Spider are carrying out rapid, high-impact attacks operating almost entirely within SaaS environments. According to CrowdStrike, these actors use vishing to bypass MFA and move laterally across entire SaaS ecosystems with a single authenticated session, masking their tracks through residential proxy networks to blend in as legitimate home user traffic.

These groups are part of a broader trend of English-speaking ransomware crews that share similar playbooks but operate under distinct brands. The use of residential proxies makes detection particularly difficult for security teams monitoring for unusual geographic login patterns.

AI Investment Scam Network Spans 15,500 Domains

AI investment scammers abused the Keitaro ad-tracking platform to cloak their campaign, exposing it only to likely targets. The campaign, spanning over 15,500 domains, represents one of the largest AI-themed investment fraud operations ever identified. Victims are lured with promises of AI-powered trading returns, only to have their funds stolen. The abuse of legitimate ad-tracking infrastructure to selectively surface scam pages is a sophisticated evasion tactic. Regular users see nothing suspicious; only those profiled as likely victims are shown the fraudulent content. This technique is now being widely adopted across crypto, forex, and AI investment scams.