Front Page

SaaS & Cloud Forensics

ShinyHunters Exfiltrates 3.65 TB from 275 Million Canvas Users via Salesforce Misconfiguration

Educational technology provider Instructure disclosed on May 1 that threat group ShinyHunters exploited a Salesforce misconfiguration to exfiltrate data on approximately 275 million users across nearly 9,000 schools worldwide. The stolen 3.65 TB included names, email addresses, student ID numbers, and private student-teacher messages. ShinyHunters claimed responsibility publicly on May 3 and listed the data for sale before Instructure's full disclosure was complete.

Investigators face a multi-cloud forensics challenge: evidence spans Instructure's own systems, Salesforce API access logs, and ShinyHunters' infrastructure — three separate evidence planes with distinct custody requirements. The attack exploited misconfigured Salesforce access controls, not a zero-day, making API activity logs and OAuth token issuance records the primary forensic artifacts. The case reinforces that SaaS misconfiguration now carries the same breach risk as an unpatched critical vulnerability.

Critical Infrastructure

CVE-2026-41940: CRLF Injection in cPanel Session Cookies Compromises 40,000+ Hosting Servers Worldwide

A critical CRLF injection vulnerability (CVE-2026-41940, CVSS 9.8) in cPanel and WebHost Manager session cookie handling has been mass-exploited since late April, compromising over 40,000 internet-facing hosting control panels by May 4. Attackers gain root-level administrative access without credentials — enabling complete server takeover. Multiple threat actors simultaneously deployed "Sorry" ransomware and persistent administrative backdoors on affected hosts.

Unlike endpoint ransomware, a single compromised cPanel host encrypts dozens of hosted websites, databases, and mail servers simultaneously. Forensic responders must examine access logs for CRLF injection artifacts in session cookie fields, timestamp ransomware binary drops in /tmp directories, and reconstruct the pre-encryption exfiltration timeline. At 40,000+ affected instances, automated evidence collection is not optional — it is the only viable triage approach.

Threat Bulletin

ACTIVE EXPLOIT
CVE-2026-41940

cPanel & WHM — CRLF injection in session cookie handling enables unauthenticated authentication bypass; CVSS 9.8. Actively exploited across 40,000+ hosting control panels with ransomware and backdoor deployment. Forensic Note: Examine cPanel access logs for malformed cookie payloads containing CRLF sequences; audit /tmp and /dev/shm directories for dropped ransomware binaries with creation timestamps.

ACTIVE EXPLOIT
CVE-2026-2033

Google Chrome V8 — type confusion in the JavaScript engine enables remote code execution via crafted web pages; CVSS 8.8. Added to CISA KEV May 2026 with confirmed in-the-wild exploitation. Forensic Note: Pull Chrome crashpad reports, GPU process logs, and extension history from suspect endpoints; hunt for renderer process sandbox escapes in Windows event telemetry and EDR process-creation logs.

Malware Spotlight

"Sorry" Ransomware (cPanel-Targeting)

Go-based Linux ransomware deployed exclusively via CVE-2026-41940 on cPanel/WHM servers. ChaCha20 stream cipher with RSA-2048 key wrapping encrypts all hosted sites, databases, and mail data simultaneously, appending a .sorry extension. Ransom communication via Tox messenger; no public decryption utility exists. Forensic Note: Prioritize disk imaging and cPanel access log preservation before engaging any ransom demand process; ransomware binary artifacts in /tmp are short-lived.