The threat actor ShinyHunters has reportedly claimed a second attack against Instructure, the creator of the Canvas Learning Management Platform (LMS). While the company struggles to confirm the full scope and wrestle back control of their environment, the implication is clear: vast repositories of Personally Identifiable Information (PII) belonging to students and educators are at imminent risk of exfiltration. For defenders, this is not just a headline; it is a tactical indicator that threat actors are actively targeting the EdTech sector, likely via credential stuffing, session hijacking, or leveraging third-party access. Security teams must immediately shift to a "assume breach" posture, hunting specifically for the indicators of massive data staging and egress associated with ShinyHunters' TTPs.
Technical Analysis
Affected Products & Platforms:
- Vendor: Instructure
- Product: Canvas LMS (Cloud-hosted SaaS)
Threat Actor & TTPs:
- Actor: ShinyHunters
- Tactics: This group specializes in data theft and extortion. While specific CVEs are not always the primary vector in their recent campaigns (often relying on compromised credentials or session tokens), the outcome is consistent: unauthorized database access and bulk data downloading.
Attack Chain (Defender Perspective):
- Initial Access: Likely achieved through credential theft, compromised session tokens, or a supply-chain vendor with access to Instructure's environment.
- Discovery: Attackers enumerate database schemas and storage buckets to locate high-value PII tables.
- Collection: Data is staged, often compressed, to minimize transfer time and evade simple size-based filters for short durations.
- Exfiltration: Large volumes of data are transferred to external endpoints (cloud storage or attacker-controlled IPs).
Exploitation Status:
- Confirmed Active Exploitation: Yes. ShinyHunters has publicly claimed access and released proof, and the "second attack" claim suggests persistent access or re-entry despite initial containment attempts.
Detection & Response
The following detection logic focuses on the behaviors typically observed in ShinyHunters intrusions: the execution of database dump utilities, unusual compression/archiving activity, and high-volume egress traffic indicative of bulk PII theft.
---
title: Potential Database Dump Tool Execution
id: 8a1f2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects execution of common database dumping utilities often used by threat actors like ShinyHunters to stage PII for exfiltration.
references:
- https://attack.mitre.org/techniques/T1005/
author: Security Arsenal
date: 2025/01/10
tags:
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\mysqldump.exe'
- '\pg_dump.exe'
- '\sqlcmd.exe'
- '\exp.exe'
- '\expdp.exe'
filter_legit:
ParentImage|contains:
- '\Program Files\'
- '\Management Studio\'
condition: selection and not filter_legit
falsepositives:
- Legitimate administrative database maintenance by DBAs (verify source)
level: high
---
title: Suspicious Archiving in User Directories
id: 9b2e3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects compression tools (7z, winrar) running inside user profile directories, a common tactic to compress stolen data before exfiltration.
references:
- https://attack.mitre.org/techniques/T1560/
author: Security Arsenal
date: 2025/01/10
tags:
- attack.collection
- attack.t1560.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\7z.exe'
- '\winrar.exe'
- '\zip.exe'
CommandLine|contains: ' -a '
CurrentDirectory|contains: '\Users\'
condition: selection
falsepositives:
- Users manually zipping their own files (rare in enterprise envs without specific approval)
level: medium
---
title: High Volume Outbound Network Connection
id: 0c3f4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects processes initiating high-volume outbound connections to non-internal IP addresses, indicative of data exfiltration.
references:
- https://attack.mitre.org/techniques/T1041/
author: Security Arsenal
date: 2025/01/10
tags:
- attack.exfiltration
- attack.t1041
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationIp|contains:
- '10.'
- '192.168.'
- '172.16.'
filter: not selection
timeframe: 5m
condition: filter | count(SourceIp, DestinationIp) > 100
falsepositives:
- Legitimate large file transfers (backup software, software updates)
level: high
**KQL (Microsoft Sentinel / Defender)**
Hunt for anomalous sign-in events and high-volume data transfers associated with the Instructure environment or potential admin compromise.
// Hunt for large data egress events
DeviceNetworkEvents
| where ActionType == "ConnectionSuccess" and RemotePort != 443 and RemotePort != 80
| where SentBytes > 5000000 // > 5MB
| summarize TotalBytesSent=sum(SentBytes), Count=count() by DeviceName, InitiatingProcessAccountName, RemoteIP
| where Count > 10
| order by TotalBytesSent desc
| extend Timestamp = now()
// Hunt for suspicious process execution related to DB tools
DeviceProcessEvents
| where FileName in~ ('mysqldump.exe', 'pg_dump.exe', 'sqlcmd.exe', 'exp.exe', '7z.exe', 'winrar.exe')
| where InitiatingProcessAccountName != "SYSTEM" and InitiatingProcessAccountName !endswith "$"
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessParentFileName
| order by Timestamp desc
**Velociraptor VQL**
Hunt endpoint for database dump artifacts and recent large compressed files that may indicate staged data.
-- Hunt for database dump processes
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ 'mysqldump'
OR Name =~ 'pg_dump'
OR Name =~ 'sqlcmd'
OR Name =~ 'exp.exe'
-- Hunt for recently created large archive files in user directories
SELECT FullPath, Size, Mtime, Mode.SysType
FROM glob(globs='/*Users/*/*.zip')
WHERE Mtime > now() - 24h AND Size > 10000000
UNION ALL
SELECT FullPath, Size, Mtime, Mode.SysType
FROM glob(globs='/*Users/*/*.rar')
WHERE Mtime > now() - 24h AND Size > 10000000
**Remediation Script (PowerShell)**
Use this script to audit systems for signs of data staging tools and recent large file modifications in common temp directories.
# Audit for signs of data staging
Write-Host "Checking for recent large files in User Profile directories..."
$DateThreshold = (Get-Date).AddDays(-1)
$SizeThreshold = 10MB # 10MB
Get-ChildItem -Path C:\Users\ -Recurse -File -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt $DateThreshold -and $_.Length -gt $SizeThreshold -and ($_.Extension -match '\.(zip|rar|sql|csv|bak)$') } |
Select-Object FullName, LastWriteTime, Length, @{Name='SizeMB';Expression={[math]::Round($_.Length/1MB,2)}} |
Format-Table -AutoSize
Write-Host "Checking for active database dump processes..."
$ProcessNames = @('mysqldump', 'pg_dump', 'sqlcmd', 'exp', '7z', 'winrar')
Get-Process | Where-Object { $ProcessNames -contains $_.ProcessName } | Select-Object ProcessName, Id, Path, StartTime
Remediation
- Credential Reset & MFA Enforcement: Assume admin credentials are compromised. Force a password reset for all privileged accounts (Database Admins, SaaS Admins) and enforce hardware token-based MFA (FIDO2) immediately.
- Audit Third-Party Access: Review logs for any third-party vendors or API integrations that had access to the Instructure environment during the breach timeline. Revoke and re-authenticate all third-party API keys.
- Network Egress Controls: Implement strict outbound firewall rules. Block access to known cloud storage providers (e.g., Mega, Dropbox) unless explicitly required for business operations.
- Session Termination: Invalidate all active user sessions within the Instructure Canvas environment to kill any persistent attacker sessions.
- Log Analysis: Correlate authentication logs with data export logs. Look for "Impossible Travel" logins or successful authentications followed immediately by large database queries.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.