Top news stories this week
- Grade A breach. Global impact following Canvas learning management system breach.
- Critical warning. Multiple vulnerabilities announced impacting Linux, MOVEit file transfer, Palo Alto firewall, and Apache HTTP server.
- Loco-motivated. Taiwanese hacker triggers emergency brakes on high-speed rail network.
- Ad‑versaries. Top search results lead to backdoors and breaches in recent campaigns.
- From leaks to locks. Ransomware negotiator sentenced to lengthy prison sentence.
- Double trouble. Two ransomware groups claim Cushman & Wakefield as victim.
1. Global impact following Canvas learning management system breach
Instructure, the developer of the Canvas learning management system, confirmed a data breach after the extortion group ShinyHunters added the company to its leak site and defaced Canvas login pages with a ransom note. ShinyHunters has claimed the breach affects a dataset covering 275 million individuals and nearly 9,000 schools worldwide and has threatened to release data on 12 May.
So what?
Organisations using the Canvas system should engage specialist support to determine their risk exposure and set up monitoring for data leaks.
[Researcher: Milda Petraityte]
2. Palo Alto, Progress Software, Linux and Apache respond to security flaws
Palo Alto is urging customers to restrict access or disable use of the User-ID Authentication service following the discovery of a critical zero day vulnerability (CVE-2026-0300). Until a patch is developed over 5,800 PAN-OS VM-series firewalls are potentially exposed.
Separately, researchers have uncovered a new ‘Copy Fail’ vulnerability (CVE-2026-31431) which enables privilege escalation on most Linux distributions. Progress Software also disclosed new security flaws (CVE-2026-4670 and CVE-2026-5174) which affect the MOVEit automation tool and allow for unauthorised access.
Additionally, Apache released security updates to address the critical HTTP/2 vulnerability (CVE-2026-23918) which could lead to remote code.
So what?
It is crucial to have a robust patching program in place as AI accelerates the discovery of vulnerabilities. Ensuring there is a defined and implemented process for vulnerability identification, remediation, and tracking reduces the likelihood of compromise via unpatched systems.
[Researcher: Adelaide Parker]
3. Taiwanese hacker triggers emergency brakes on high-speed rail system
A Taiwanese student has been arrested for triggering the emergency brakes on trains servicing Taiwan’s high-speed rail network. The individual purchased commercially available radio equipment, which he used to broadcast a “high-priority” general alert, halting all the trains. A subsequent investigation revealed that the signalling protocol for this alert had not been rotated for nearly 20 years.
So what?
This incident demonstrates how operational negligence can inadvertently create an attack surface. Critical equipment which pre-date modern security standards and frameworks should be reviewed for legacy protocols.
[Researcher: Lester Lim]
4. Top search results lead to backdoors and breaches in recent campaigns
Threat actors are abusing sponsored search results and trusted brands to deliver malware and steal credentials. A fake Claude AI site was recently discovered that deploys backdoor malware.
Separately, malicious Google Ads are being used to direct users to fake login pages that capture credentials and 2FA codes for website management sites.
SO WHAT?
Top search results and sponsored ads cannot be trusted by default. Users should always verify they are on a legitimate domain before downloading software or entering credentials, and avoid relying on search results alone.
[Researcher: Jenny Eysert]
5. Ransomware negotiator sentenced to lengthy prison sentence.
A Latvian member of the prominent Karakurt extortion gang who was extradited from Georgia, Eastern Europe, has been given an 8.5-year prison term in the US. Deniss Zolotarjovs, operating online as "Sforza_cesarini", acted as a ransomware negotiator for Karakurt, who are believed to have blackmailed organisations out of hundreds of millions of dollars
So What?
Extradition is a threat for high-profile ransomware operators.
[Researcher: Jack Woods]
6. Two ransomware groups claim Cushman & Wakefield as victim
ShinyHunters and Qilin both claim to have breached real estate giant Cushman & Wakefield (C&W). ShinyHunters claimed to have stolen over 500,000 Salesforce records containing PII and internal corporate data, while Qilin has also added C&W to its own leak site, but without providing further information. There is no known link between the two groups. C&W has confirmed a "limited" data security incident caused by a vishing attack.
SO WHAT?
Being claimed by two unrelated actors forces defenders to run parallel workstreams to assess credibility and manage competing extortion timelines without losing message consistency to regulators, customers and staff.
[Researcher: Ayo Olayinka]
-1-1.jpeg?width=121&height=121&name=MicrosoftTeams-image%20(11)-1-1.jpeg)
