By the N2K CyberWire staff
Top stories.
- ShinyHunters defaces Canvas portals during finals week.
- CISA orders Federal agencies to patch Ivanti zero-day by Sunday.
- Progress Software urges customers to patch critical MOVEit flaw.
- Taiwanese police arrest student for allegedly hacking train systems.
- Trellix discloses source code breach.
- UK's NCSC warns of AI-driven "patch wave."
ShinyHunters defaces Canvas portals during finals week.
The ShinyHunters criminal gang on Thursday defaced Canvas login portals belonging to hundreds of schools and universities as part of its extortion campaign against educational technology giant Instructure, BleepingComputer reports. It's unclear how the attackers hacked Canvas, but the extortion group told TechCrunch that it was caused by a second, separate breach. The incident disrupted customers' access to the platform at a time of year when many schools are conducting their final exams.
Instructure, which owns the Canvas learning management software, confirmed a data breach last week after ShinyHunters listed the company on its leak site. The company said the stolen data "consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users." ShinyHunters posted a message on the defaced websites threatening to publish the stolen data on May 12th unless Instructure pays a ransom.
The browser is the new endpoint. Are you securing it?
Today’s work happens in the browser - but that’s also where new risks live. From shadow IT to session-based threats, critical activity often goes unseen.
NordLayer Browser gives IT teams visibility and control inside the browser itself—helping protect company data and enforce security across SaaS apps without disrupting workflows.
If your security stack stops short of the browser, it may be time to take a closer look.
CISA orders Federal agencies to patch Ivanti zero-day by Sunday.
Ivanti on Thursday issued fixes for five vulnerabilities affecting Endpoint Manager Mobile (EPMM), including an actively exploited zero-day that can allow a remotely authenticated user with administrative access to achieve remote code execution, Help Net Security reports. The zero-day, tracked as "CVE-2026-6973," is caused by improper input validation.
Ivanti stated, "We are aware of a very limited number of customers exploited with CVE-2026-6973. Successful exploitation requires Admin authentication. If customers followed Ivanti’s recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced. We recommend customers review accounts with Admin rights, and rotate those credentials, where necessary."
The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog and ordered Federal agencies to apply patches by Sunday, May 10th.
Join SASEfy 2026: The Summit for SASE and AI on May 20
AI adoption across tools, applications, and agents is outpacing governance. Teams must understand where AI introduces risk, how data is exposed, and how agentic behavior impacts control. Join Cato, Microsoft, Forrester, and Dayforce at SASEfy 2026, the summit for SASE and AI, on May 20 at 12p ET to identify risk, secure AI, and adapt Zero Trust for agentic AI.
Progress Software urges customers to patch critical MOVEit flaw.
Progress Software is urging customers to patch two vulnerabilities affecting MOVEit Automation software, GBHackers reports. The first (CVE-2026-4670), a critical authentication bypass flaw with a severity score of 9.8. The second issue (CVE-2026-5174) is a high-severity improper input validation vulnerability that can lead to escalation of privileges. Together, the two flaws "may allow authentication bypass and privilege escalation through the service backend command port interfaces."
Progress notes, "Upgrading to a patched release, using the full installer, is the only way to remediate this issue. There will be an outage to the system while the upgrade is running."
Taiwanese police arrest student for allegedly hacking train systems.
Police in Taiwan have arrested a 23-year-old university student for hacking the TETRA (Trans-European Trunked Radio) communication system used by the country's high-speed railway network, BleepingComputer reports. The suspect allegedly used software-defined radio (SDR) equipment he bought online to intercept and decode TETRA radio parameters, then programmed them into handheld radios to impersonate beacons used by the railway. These radios were used to transmit a "General Alarm" signal, which triggered emergency brakes and halted four trains for about 48 minutes on April 5th.
The suspect is facing several criminal charges, including causing a danger to public transportation. His lawyer claims the transmission of the alarm signal was an accident.
Taiwanese politicians have also criticized the railway's operators for negligence following reports that the radio parameters had not been rotated in nineteen years.
Track global cyber threats with the Microsoft Threat Intelligence podcast
Step into the frontlines of cyber defense with the Microsoft Threat Intelligence podcast. Hear from intelligence experts as they share how they track APTs, gangs, malware, and emerging vulnerabilities. Each episode delivers key insights into espionage, attacker tradecraft, and the skills needed for modern threat hunting. Listen in and stay one step ahead.
Trellix discloses source code breach.
Cybersecurity giant Trellix has disclosed a breach of a portion of its source code repository, SecurityWeek reports. Trellix stated, "Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited." The company has notified law enforcement and says it will share more details once the investigation is complete.
While Trellix hasn't shared details about the intrusion, SecurityWeek notes that several other cybersecurity firms, including Checkmarx, Aqua Security, and Bitwarden, were recently breached via software supply chain attacks.
UK's NCSC warns of AI-driven "patch wave."
The UK's National Cyber Security Centre (NCSC) is urging organizations to prepare for a surge of patches driven by AI-assisted vulnerability discovery, Infosecurity Magazine reports. The NCSC's Chief Technology Officer, Ollie Whitehouse, explained in a blog post, "Artificial Intelligence, when used by sufficiently-skilled and knowledgeable individuals, is showing the ability to exploit this technical debt at scale and at pace across the technology ecosystem. As a result, the NCSC expects there will be a ‘forced correction’ to address this technical debt across all types of software, including open source, commercial, proprietary, and software as a service."
The NCSC advises organizations to reduce their external attack surfaces, prioritize technologies on the perimeter, and replace end-of-life products that no longer receive patches. The Centre also outlines the following guidance to streamline patching:
- "Where automatic secure ‘hot patching’ is available (that is, patching that doesn’t involve service disruption), this should be enabled as a priority
- "Where automatic updates are available (including for embedded devices), this should be enabled to reduce the workload on support teams
- "Where neither of the above are available, organisations will need to ensure that processes and risk appetites support frequent and scaled-updating, noting the operational trade-offs around disruption and safety-critical systems. A risk-prioritised approach, such as the Stakeholder Specific Vulnerability Categorisation (SSVC) system, can be used to prioritise installing the updates."
