Today’s Topics:

Congress Presses Instructure After Canvas Breach
MiniPlasma Zero-Day Puts Windows Patch History Back Under Scrutiny
How can Netizen help?

Congress Presses Instructure After Canvas Breach

Congress is pressing Instructure for answers after the company’s Canvas learning management system was disrupted by a cyberattack that exposed user information, interrupted core school functions, and raised new questions about how well major education technology providers can contain repeat intrusions. The incident follows a pattern we have discussed before: attackers are increasingly targeting the platforms that sit between institutions and their students, where identity data, communications, records, and operational workflows are concentrated in one place.

The House Committee on Homeland Security requested a briefing from Instructure CEO Steve Daly after the company was reportedly hit twice in the span of a week by ShinyHunters, a cybercriminal group known for large-scale data theft and extortion activity. According to Dark Reading, lawmakers questioned why Instructure experienced a second compromise so soon after the company disclosed the first breach, and whether the company had fully remediated the issue before declaring Canvas operational again.

Instructure first disclosed the breach on May 1, stating that attackers obtained certain identifying information from users, including names, email addresses, student ID numbers, and private messages. ShinyHunters later claimed it had more than 3TB of data connected to Instructure users across more than 9,000 educational institutions. Canvas was temporarily taken offline during the investigation, affecting grade reporting and other services used by schools and universities during a critical point in the academic calendar.

The timing of the outage made the incident especially disruptive. Canvas is not just a content portal for many institutions; it is part of the academic operating layer used to manage assignments, grades, communications, student records, and classroom continuity. As we have noted in past coverage of third-party and SaaS security incidents, the operational impact of these attacks often extends well beyond the initial data exposure. When a widely used vendor is disrupted, customer organizations inherit the consequences, even when the intrusion occurs outside their own network.

That issue became more serious when ShinyHunters allegedly returned after Instructure said the matter had been resolved. The company stated on May 6 that Canvas was fully operational, but the attackers reportedly compromised Canvas again the following day and posted a ransom demand on login pages. That second event appears to be one of the main reasons lawmakers are now asking whether Instructure’s incident response was complete, whether attackers retained access, and whether the company had enough visibility across its environment to confirm containment.

The Senate Committee on Health, Education, Labor, and Pensions also sent a letter to Instructure, asking for more detail about the types of data affected, the security improvements made after the attack, and the company’s May 11 statement that it had reached an “agreement” with the threat actor. Instructure said no customers would be extorted and claimed the stolen data was returned, with digital confirmation of its destruction. The company did not publicly say that it paid a ransom, but Dark Reading noted that ShinyHunters removed Instructure from its leak site, which is commonly associated with victim organizations that resolve an extortion demand.

The incident also brings renewed attention to Instructure’s previous Salesforce-related breach from September 2025. That earlier compromise was tied to a wave of Salesforce intrusions affecting major organizations and linked by researchers to threat actors associated with ShinyHunters. It remains unclear whether information from the Salesforce incident played any role in the May 2026 Canvas attack, but the repeated targeting of the same company raises a familiar risk for defenders: once an organization is profiled as valuable, attackers may continue probing for adjacent access paths, exposed identities, vendor integrations, and reused operational data.

MiniPlasma Zero-Day Puts Windows Patch History Back Under Scrutiny

A newly released proof-of-concept exploit for a Windows privilege escalation zero-day is putting Microsoft’s Cloud Files Mini Filter Driver back under scrutiny, after a researcher said a flaw thought to have been fixed in 2020 can still be used to gain SYSTEM privileges on fully patched Windows systems. The bug, now referred to as MiniPlasma, affects cldflt.sys, the Windows driver tied to cloud file placeholder handling, and appears to sit in the HsmOsBlockPlaceholderAccess routine.

The disclosure comes from security researcher Chaotic Eclipse, who has also been linked to the recent YellowKey and GreenPlasma Windows flaws. According to reports from The Hacker News and BleepingComputer, the researcher said MiniPlasma traces back to an issue originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020. Microsoft was believed to have addressed the issue in December 2020 under CVE-2020-17103, but Chaotic Eclipse said the same bug remains exploitable and released a weaponized version of the earlier proof of concept to spawn a SYSTEM shell.

For defenders, the practical concern is straightforward: this is a local privilege escalation flaw, meaning an attacker would first need some level of local code execution or account access. Once that foothold exists, a reliable elevation path to SYSTEM can turn a limited compromise into full host control. That matters in ransomware, hands-on-keyboard intrusions, and post-exploitation activity, where attackers often chain initial access with privilege escalation to disable tools, dump credentials, tamper with logs, and move deeper into an environment.

The timing also makes the disclosure more significant. As we have covered before with Windows privilege escalation bugs, these vulnerabilities are often most dangerous after initial access has already been established. They may not provide the first step into an environment, but they can give an attacker the permissions needed to make that first step far more damaging. In this case, the concern is amplified by the claim that fully patched systems remain affected.

Security researcher Will Dormann said MiniPlasma worked reliably to open a cmd.exe prompt with SYSTEM privileges on Windows 11 systems running the latest May 2026 updates, according to reporting from The Hacker News. Dormann also said the exploit did not appear to work on the latest Windows 11 Insider Preview Canary build, which may suggest that code changes in newer test builds affect exploitability, though that does not equal a formal patch for production systems.

The vulnerable component has already drawn attention in recent months. In December 2025, Microsoft patched CVE-2025-62221, a separate Windows Cloud Files Mini Filter Driver use-after-free vulnerability that allowed local privilege escalation. NVD lists CVE-2025-62221 as a local flaw requiring low privileges and no user interaction, with high confidentiality, integrity, and availability impact.

That pattern is what should concern security teams. Cloud file synchronization components such as cldflt.sys sit close to routine Windows file activity, yet flaws in kernel-adjacent drivers can create high-impact escalation paths once attackers land on a workstation or server. The MiniPlasma disclosure suggests that patch status alone may not be enough for risk confidence when exploit code is public, the affected component is broadly present, and independent researchers report successful exploitation on current Windows 11 builds.

There is no confirmed Microsoft fix for MiniPlasma at this point, and there is no clear public confirmation of active exploitation in the wild. Still, public exploit code changes the operational picture. Security teams should watch for suspicious local privilege escalation behavior, unexpected SYSTEM-level process creation, abuse of cloud file placeholder operations, and post-compromise activity following lower-privileged user execution. Endpoint telemetry that can connect initial user-context execution to sudden SYSTEM-level process activity will be especially important until Microsoft provides clearer guidance or a patch.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

recent posts

about

Leave a comment Cancel reply