By: HackNoGood
Thursday, May 07, 2026
EDUCATION SECTOR HIT HARD BY CANVAS BREACH
Affected data includes names, email addresses, student ID numbers, and private messages between students and teachers. No evidence of passwords, birth dates, government IDs, or financial info was compromised, but the scale is massive, reports claim impacts on up to 9,000 institutions and hundreds of millions of records.
Impacts reported so far:
- Australian providers (universities, TAFE, public schools in Queensland, Tasmania, etc.).
- U.S. districts like Wake County and Charlotte-Mecklenburg in North Carolina.
- Global ripple effects on K-12 and higher ed.
Instructure says the incident is contained, with some services restored after maintenance. ShinyHunters demanded ransom and threatened leaks. Schools are notifying users and monitoring for follow-on phishing. OSINT tip: Check your institution’s status page and enable MFA everywhere.
ZERO-DAY EXPLOITED: PALO ALTO FIREWALLS UNDER FIRE
Palo Alto Networks disclosed active exploitation of CVE-2026-0300, a critical buffer overflow in the PAN-OS User-ID Authentication Portal (Captive Portal). Unauthenticated attackers can achieve remote code execution with root privileges on PA-Series and VM-Series firewalls.
Key details:
- CVSS up to 9.3 if the portal faces the internet.
- Impacts older PAN-OS versions (10.2 through 12.1 branches).
- CISA added it to the Known Exploited Vulnerabilities catalog on May 6, federal agencies must mitigate by May 9.
- Patches start rolling out May 13. Immediate workarounds: Restrict portal access to trusted IPs or disable it.
Thousands of instances remain exposed. If you run Palo Alto gear, audit your configs now. This one lets attackers own the box and pivot deep into networks.
RANSOMWARE AND BREACH WAVE: MAY 6 DUMP
Multiple organizations appeared on leak sites yesterday, primarily hit by Bavacai, Qilin, and others:
- Académie de Montpellier (France education).
- ActionAid International (NGO).
- Ahorramas (retail, Spain).
- Arçelik, CEAGESP (Brazil), and more smaller firms.
Starr Insurance disclosed a ransomware incident (Akira group claimed 15GB stolen).
Pattern: Supply-chain and third-party vectors continue dominating. Education and NGOs remain soft targets.
OTHER NOTABLE HITS
- DigiCert Breach: Attackers used a malicious .scr (screensaver) file via support chat to compromise systems and issue ~27 fraudulent EV code-signing certificates. Dozens revoked; used to sign malware. Classic social engineering with a sneaky delivery.
- MuddyWater (Iran-linked): Leveraging Microsoft Teams for credential theft in false-flag ransomware ops.
- Chrome patched CVE-2026-7958 (ServiceWorker issue).
- Ongoing Linux “Copy Fail” discussions from recent kernel zero-day (local root via simple script).
OSINT QUICK HITS & ADVICE
- Scan Shodan or Censys for exposed Palo Alto Captive Portals in your org.
- Monitor leak sites and Have I Been Pwned for Canvas-related exposures.
- Ransomware volume remains high, human elements (phishing, vendor access) drive most incidents.
- Patch aggressively. Restrict internet-facing management interfaces. Test backups.
HackNoGood OUT!