Dive Brief:
- Dozens of higher education institutions may have been hit by another attack from the cybercrime group behind the May hack against Canvas, according to the Google Threat Intelligence Group and cybersecurity firm Mandiant.
- From May 27 and June 9, the group ShinyHunters potentially gained access to the systems of over 100 organizations by targeting the Oracle PeopleSoft software suite. A majority of them are based in the U.S., and 68% are within the higher education sector, GTIG and Mandiant said in a post Thursday.
- ShinyHunters twice gained unauthorized access to Instructure’s Canvas learning management system last month, disrupting final exam season at colleges nationwide.
Dive Insight:
Oracle's PeopleSoft is a wide-ranging software suite that organizations often use for human resources management and financial operations.
GTIG and Mandiant, both of which are Google units, said several institutions targeted by ShinyHunters successfully blocked the hack or fixed the vulnerabilities in Oracle's software. But others had their data stolen and published on the group's website.
The University of Nottingham, in England, confirmed the following day it had suffered a cybersecurity breach during which a threat actor accessed "a significant amount of data in our student record system."
In an email to students, the university said it was still working to assess which data had been accessed. But it was "operating on the precautionary assumption" that the breach included names, email addresses, university IDs and students' course information, as well as some financial and insurance information, according to a copy of the email published by Politics UK.
ShinyHunters has claimed credit for the hack.
Some of the breached organizations have since received extortion demands, according to tech website Bleeping Computer.
On June 10, Oracle released a security alert about the vulnerability ShinyHunters exploited, but the company did not confirm if any of its software users had already been breached.
Oracle did not immediately respond to questions Friday.
Colleges are a prime target for cybercriminals, both because they hold vast troves of student and employee data and because their systems typically have a massive number of users that turn over regularly.
In the Oracle and Instructure hacks, ShinyHunters gained access to data through system vulnerabilities at companies with whom colleges contracted — another big risk facing higher education.
The Canvas breaches affected hundreds of institutions and exposed personal information such as users’ names, email addresses, student ID numbers and messages, ShinyHunters alleged. The hack came at the tail end of the spring semester and forced many colleges to take Canvas offline amid finals and grading.
ShinyHunters set a May 12 deadline for Instructure to reach an agreement with the group or risk the data being leaked.
The day before the deadline, Instructure announced it struck a deal to have the stolen data returned. According to cybersecurity experts, the company’s deal appears to involve a ransomware payment, against the guidance of the FBI.
Instructure CEO Steve Daly later acknowledged the "enormous" effects the abrupt loss of Canvas access had on colleges and K-12 schools.
The goal moving forward is "to develop a clear playbook for how we collectively secure our environments and, should something happen that affects system availability, have a redundant ecosystem that our community can rely on," he said in a May 26 statement.
