RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: krebs (2 articles)Clear
threat
2026-05-08

ShinyHunters is now extorting individual schools using stolen Canvas data - thousands of K-12 districts and universities receiving direct ransom demands

Update on the Instructure breach we covered May 4: ShinyHunters has shifted from extorting Instructure itself to extorting individual schools and universities with their own Canvas data. BleepingComputer and Krebs on Security report that 8,800+ institutions have received direct ransom demands referencing real student records, teacher accounts, and gradebook data from their own Canvas tenants. The campaign mirrors the 2025 PowerSchool aftermath. Some schools are receiving demands sized to the institution. Krebs notes affected schools are scrambling to comply with state student-privacy laws while negotiating with attackers.

instructurecanvasshinyhuntersfollow-upmass-extortion8800-schoolspowerschool-comparisonferpacoppastate-student-privacy-lawskrebs
Check
If your school uses Canvas, check whether you've received any direct extortion communications referencing real Canvas data since May 4. Audit Canvas API access logs for bulk data exports between February and April.
Affected
8,800+ schools, universities, and corporate training organizations using Canvas. K-12 districts face acute risk under state student-privacy laws (NY 2-d, California SOPIPA, ~130 similar statutes) plus COPPA for under-13 student data. Universities face FERPA exposure. Smaller institutions without legal counsel are most likely to pay rather than report.
Fix
Do not respond directly to extortion communications - report to FBI IC3 first and consult legal counsel before any contact. Notify affected students, parents, and faculty per state notification timelines (most require 30-60 days). Issue COPPA and FERPA notifications where applicable. Rotate Canvas API keys and re-authorize integrations. Track Instructure's response separately - many schools report the vendor unresponsive on individual cases.
threat
2026-04-30

Brazilian anti-DDoS firm Huge Networks was running a Mirai botnet that knocked Brazilian ISPs offline for years - either to drum up business or because someone breached their CEO's SSH keys

Brian Krebs published an investigation showing that Huge Networks, a Brazilian DDoS protection firm, has been running the Mirai-based botnet behind a years-long DDoS campaign against other Brazilian ISPs. An exposed open directory revealed Portuguese-language Python attack scripts that relied on the personal SSH keys of Huge Networks CEO Erick Nascimento. The botnet ran on compromised TP-Link Archer AX21 routers and unmanaged DNS servers, attacking Brazilian IP prefixes for 10-60 seconds at a time. Nascimento says a January 2026 intrusion compromised his SSH keys; he denies running the attacks. ISPs say the attacks have been ongoing since December 2024.

huge-networksddos-for-hiremiraibrazilian-ispstp-linkarcher-ax21krebsbotnetinvestigative
Check
If you run a TP-Link Archer AX21 router or any consumer router for business use, factory-reset it and update to the latest firmware - they remain a primary Mirai botnet recruitment target.
Affected
TP-Link Archer AX21 routers and similar consumer-grade equipment remain widely used as Mirai botnet members. Brazilian ISPs are the targets, but Mirai variants are used worldwide. The deeper pattern: DDoS protection firms turning out to be the source of the attacks they bill to mitigate is recurring (Krebs identified the original 2016 Mirai authors as DDoS provider co-owners).
Fix
For TP-Link Archer AX21 owners: factory reset, update firmware, disable WAN-side admin access. Replace if firmware is end-of-life. For organizations evaluating DDoS providers: ask for clear separation between attack telemetry and customer acquisition, request audited proof of how attack traffic is sourced, and consider providers in jurisdictions with stronger anti-fraud regulations.