May 5's Top Cyber News NOW! - Ep 1125
At a glance
Instructure suffered a major breach affecting 275 million users across 9,000 institutions; Digicert recovered cleanly from a supply chain attack by revoking malicious certificates; and a wave of phishing campaigns—from Chinese APTs to SSA impersonators—continues to target organizations worldwide using legitimate remote access tools and spoofed government emails.
Stories covered
What's the scope of the Instructure Canvas platform breach?
What happened: Education software provider Instructure disclosed a cyber attack via compromised API keys that breached its Canvas LMS platform, affecting up to 275 million users across nearly 9,000 institutions. Attackers accessed names, email addresses, student IDs, and user messages. The Shiny Hunters group claimed responsibility, alleging they stole 3.65 terabytes of data.
Why it matters: Canvas is a widely deployed learning management system used by schools and universities. While passwords and financial data were not compromised, the breach highlights the risk to SaaS platforms that centralize sensitive educational records. For practitioners, this underscores the need to think beyond incident triage—operational resiliency and business continuity matter as much as forensics.
What to do: If your organization uses Canvas, monitor for credential reuse and phishing targeting affected students and staff. Review your own SaaS platform's API key rotation practices and access controls.
How did Digicert recover from its certificate authority compromise?
What happened: Digicert disclosed a malware infection on internal systems that allowed attackers to access its customer support portal and generate roughly 60 fraudulent EV code-signing certificates. The threat actor compromised a support analyst account and used it to create unauthorized certificates; some were used to sign malware. Digicert identified the compromise on April 3rd, discovered a second compromise in mid-April, and revoked all affected certificates and transactions.
Why it matters: This is a textbook example of proper incident recovery, not just response. Digicert didn't just remove the attacker—it revoked all malicious transactions and reset affected customer interactions to a known-good state. This mirrors the NIST CSF "Recover" phase, which many organizations neglect.
What to do: Review your own recovery procedures. Recovery isn't just backup restoration; it's resetting all compromised artifacts (certificates, sessions, transactions) to a clean state. Document your rollback process and test it.
Why is China-linked Silver Fox targeting Indian and Russian organizations?
What happened: APT group Silver Fox launched a phishing campaign delivering two backdoors—the newly identified ABC door and the known Valley RAT—against targets in India and Russia. Attackers used spoofed government tax authority emails and malicious archives to establish persistence with stealthy remote access.
Why it matters: The campaign used classic persistence mechanisms (Windows registry keys, scheduled tasks) typical of nation-state espionage operations. The use of tax authority impersonation remains effective because it plays on fear and urgency.
What to do: If you protect India-based organizations, immediately alert users to the fake tax authority emails. For all practitioners: remind end users that legitimate government agencies do not request sensitive data or payment via email. Consistency in security awareness messaging is critical—repeat this message regularly.
How are organized criminals using cyber tactics to steal cargo?
What happened: The FBI warned that cyber-enabled cargo theft is rising, with losses in the US and Canada reaching $725 million in 2025. Criminals phish logistics brokers and carriers, compromise accounts, post fraudulent load listings, reroute shipments, and resell stolen goods. Proof Point linked the activity to organized crime operations.
Why it matters: Cargo theft is a billion-dollar criminal enterprise that few security practitioners discuss. Attackers compromise broker and carrier email systems to intercept or redirect high-value shipments (pharmaceuticals, electronics, food products). This is not niche—it affects supply chain security across industries.
What to do: If you work in logistics, transportation, or supply chain, implement email authentication (SPF, DKIM, DMARC), monitor for unauthorized load postings, and segment access between planning and execution systems. Coordinate with law enforcement if you suspect theft.
Why should organizations whitelist remote management tools?
What happened: A phishing campaign dubbed "Venomous Helper" targeted over 80 US organizations using spoofed Social Security Administration emails to trick users into installing legitimate RMM tools (Simple Help, Screen Connect). Attackers then used these tools for persistent remote access, file theft, and lateral movement.
Why it matters: Threat actors abuse legitimate, fully-featured RMM tools because they're trusted and already deployed. Simply installing an RMM executable makes an organization vulnerable if end users can be socially engineered.
What to do: Implement an allow-list for RMM tools and deny all others at the endpoint level (application deny-by-default). If your organization uses Avanti or similar RMM solutions, whitelist only those and block unauthorized tools. Educate end users that legitimate vendors will never ask them to install software via email.
How did PyTorch Lightning become a supply chain attack vector?
What happened: A malicious version of PyTorch Lightning on PyPI executed an obfuscated JavaScript payload on import that stole browser credentials, file tokens, cloud service secrets, and enabled arbitrary command execution. Microsoft attributed the payload to Shyworm. The package was rolled back to version 2.6.1.
Why it matters: PyPI (Python Package Index) continues to be a target for supply chain attacks. Any developer using Python machine learning libraries is at risk. The credential theft component means API keys, GitHub tokens, and environment variables are now exposed.
What to do: If you use PyTorch Lightning, immediately rotate all secrets and API keys. Establish open communication channels with your development and DevOps teams about PyPI and NPM compromise trends. Treat every package update as a potential risk until verified.
How is World Leaks' breach of Hungary's Media Works connected to geopolitics?
What happened: Ransomware group World Leaks (a Hunters International rebrand) claimed to have breached Hungary's Media Works, leaking 8.5 terabytes of payroll records, contracts, and internal communications. Independent outlets reported the leak included politically sensitive editorial discussions linked to Russia. Media Works confirmed the incident and launched an investigation.
Why it matters: This breach blurs the line between financially motivated extortion and ideologically motivated data theft tied to geopolitical tensions. The timing and content suggest coordination with pro-Kremlin interests in Hungary, though this remains speculative. (Transcript ambiguous on verification of leaked data integrity.)
What to do: Monitor for now. If you protect media organizations in Central Europe, stay alert for similar targeting. For all practitioners: ensure ransomware preparedness (backups, segmentation, incident response plans) remains current—this threat remains active globally.
What can age verification bypass techniques teach security teams?
What happened: Research from Internet Matters found that 46% of UK children surveyed said age checks on online platforms are easy to bypass using fake birthdays, borrowed IDs, or even fake mustaches. 32% of kids admitted bypassing controls; 17% of parents helped them do so. Despite new online safety rules, 49% of children still encounter harmful content.
Why it matters: This illustrates the gap between control design and real-world exploitation. It also highlights perverse incentives—platforms profit from user engagement and ad sales, so there is little motivation to enforce age restrictions strictly. For security practitioners, it's a reminder that controls fail when users (especially motivated ones) find creative workarounds.
What to do: Monitor for now. If you design user controls or access restrictions, run bypass tests using tactics similar to those described here (fake data, borrowed credentials, social engineering). Treat creative control evasion as a design challenge, not user misbehavior.
Key takeaways
- Operational resiliency and recovery procedures matter as much as incident triage; document what "known-good state" means for your systems and practice getting there.
- SaaS and supply chain attacks remain the path of least resistance; whitelist trusted tools, monitor package repositories, and establish rapid communication channels with development teams.
- Phishing campaigns continue to work because they exploit urgency and fear (tax authorities, government agencies, SSA); consistent, personalized security awareness training measurably improves detection.
- Ransomware readiness is table-stakes in 2026; ensure leadership understands decision trees (pay ransom? call insurance? engage IR?), know where all secrets are stored, and practice key rotation before you need it.
- Legitimate tools (RMM software, Python libraries, certificates) are weaponized daily; assume supply chain and tool compromise, implement allow-lists, and rotate secrets proactively.
Topics covered
Want the live experience? The Daily Cyber Threat Brief airs live every weekday at 5am PT / 8am ET on YouTube. 400+ practitioners join the chat in real time.