THIS WEEK, TL;DR

Instructure paid and 'reached an agreement' with hackers who breached it twice; ShinyHunters says it won't extort victims
BBC News ($): Canvas school system maker Instructure paid the hackers that breached the company (twice) and stole gobs of student data. Instructure CEO Steve Daly said the company "reached an agreement" with the hackers (heavy wink, of course) to not release the data, without saying how many millions it paid the hackers or estimating how many future hacks its ransom payment may have contributed to funding. The ShinyHunters gang told TechCrunch and DataBreaches.net that the data is "deleted, gone," and that victims will "not further be targeted or contacted for payment by us.” But that still leaves open the possibility — as has happened before — that another hacker group might extort them, à la the massive breach at ed-tech giant PowerSchool; or that the hackers might not stick to their word. Lawmakers now want answers over Instructure's catastrophish (the hackers' main modus operandi). Instructure can't guarantee jack about any of the hackers' claims, so lawmakers should press them on it — and who, if anyone(!) — is ultimately responsible for cybersecurity at the company.
More: TechCrunch ($) | Reuters ($) | Associated Press | Inside Higher Ed | Harlem World | CalMatters | @mzinshteyn | @briankrebs

On state visit to Beijing, Trump discussed AI, cyberattacks, sanctions, and spying with China's Xi Jinping
The New York Times ($): Trump and his entourage of senior staffers, emotional support tech executives, and family members (for some bizarre reason?), went to China and all they got was this lousy T-shirt were several gifts probably laden with bugs that they weren't even allowed to bring aboard Air Force One. As part of the state visit to Beijing, Trump and China's Xi Jinping talked spies, sanctions, AI, and cyberattacks, among other things, per @dustinvolz (new byline!), who runs down the gist of the trip's aims as the long-running frenemies met over a largely conciliatory tone. China remains a major adversary ($) in cyberspace as it continues to eye Taiwan for its own, and will keep hacking and spying its way around the world to meet its objectives. That also came up, with Trump telling reporters: “They’re talking about the spying. Well, we do it too.” But whether or not anything actionable came of this visit remains to be seen. Slightly worried that Trump didn't seem to follow when a reporter asked about Volt Typhoon, the Chinese hacking group planting malware around the world so it can distract American forces during an invasion, responding: "You don’t know that," and that he would "like to see it."
More: TechCrunch ($) | Nextgov | Associated Press | The Hill | NPR | For subscribers: this week in security ($)

Tanstack among many hacked in latest worm attack targeting developers; OpenAI says two staffers affected
SecurityWeek: Another worm-like campaign mass-targeted developers this week by stealing their credentials and self-propagating, using stolen tokens to publish malicious versions of the packages that victims have access to. Hacking gang TeamPCP, which has been on a tear stealing developer tokens and backdooring popular open-source packages, is behind this latest campaign, according to Wiz. Tanstack, an open-source tech stack for web developers, was one of the bigger projects hacked, allowing the hackers to pivot from there to gain access to two OpenAI staffers' devices. OpenAI said the hackers accessed code repositories containing developer signing keys, so the ChatGPT maker had to revoke those certificates and ask Mac users to update their apps.
More: OpenAI | SecurityWeek | Bleeping Computer | The Register | Wiz | @MsftSecIntel 

A hotel check-in system exposed a million passports, driver's licenses, and selfies to the open web
TechCrunch ($): Yes, it's the year 2026 and I'm still banging the "stop leaving your cloud storage buckets exposed to the web" drum. Anurag Sen found a publicly exposed AWS S3 bucket belonging to Japanese maker of hotel check-in tech Reqrea, storing a million identity documents and selfies that guests used to check in to their reservations. This is yet another major spill of identity documents at a time when ID verification is on the rise around the world. I wrote this story (disclosure alert!) because it was a perfect example of how a dead-simple data exposure can result in major harm, even while there's a lot of buzz and hype about the threat from AI models finding and exploiting security flaws. AI has helped to find bugs, even though many of them aren't much of a threat. Daniel Stenberg who maintains the curl library (which is used in everything) has a great blog on this worth a read, if not least to manage your general AI expectations. In reality, I'm more concerned about someone setting an AWS S3 bucket full of people's data to "public" than somehow using AI to take down the entire Social Security database, or something daft like that. Also this week: Best Western Hotels emailed customers to say hackers had access to their systems for six months before being evicted (via Reddit). It's not clear how many people's data is affected. 
More: SecurityWeek | The Register | @zackwhittaker

THE STUFF YOU MIGHT'VE MISSED

Medical imagery is still(!) spilling to the open web
HIPAA Journal: PACS servers, which doctor's offices and hospitals use to store, share, and view patients' medical imagery, are often unsecured and, in some cases, accessible from the internet. This has been a chronic problem for years, and is happening again. (I wrote about this back in 2020… 🫠) Trend Micro has more on the technicals. If you work in healthcare, check your PACS servers for exposures before the regulators find you!

A million video baby monitors and security cameras were easily viewable by hackers
The Verge ($): Hardcoded keys and public passwords found shipped in an Android app exposed over a million Meari internet-connected baby cameras to anyone who knew where to look. Thankfully a security researcher found the security lapse, as detailed by The Verge ($), which did a solid job on explaining the flaws.

Now-published zero-day can defeat default Windows 11 BitLocker protections
Ars Technica: A zero-day dubbed YellowKey, released by disgruntled researcher Nightmare-Eclipse (who was behind the BlueHammer exploit release), allows people with physical access to a Windows 11 system to bypass default BitLocker's encryption protections and gain complete access to an encrypted hard drive within seconds. @GossiTheDog called this "essentially… a backdoor." 

Mayo Clinic is using AI to listen to emergency room visits
404 Media ($): Hospital network giant Mayo Clinic has been collecting ambient audio from emergency rooms to record patient interactions, and feeding the data into AI. The audio collection is opt-out, and not opt-in. Relatedly: The Ontario government recently found in examining its use of AI transcription in healthcare that it was largely, well, crap, given that healthcare is too important for AI to get things wrong. "If the notes in the chart are wrong, the whole thing falls apart," per @mttaggart. Also, ICYMI: Professor extraordinaire @emilymbender on why you should refuse to let your doctor record you.

Ransomware gang The Gentleman hacked and dissected by researchers
BankInfoSecurity: A prominent and rising ransomware gang called The Gentlemen was hacked earlier in May and its database leaked. Check-Point has a blog with more details, including more about how the gang operates, how they hack, and what defenders can look out for. Ransom-ISAC also has a solid blog. (via @campuscodi)

Fast16 malware from the mid-2000s likely sabotaged Iran's nuclear weapons tests
Zero Day: Belter reporting by @kimzetter this weekend… A malware called Fast16, which was discovered years ago but recently analyzed, actually dates back to the mid-2000s when it was secretly fed to Iranian systems with the aim of altering nuclear weapons simulation data. The aim was to undermine those tests and slow the progress of a nuclear program. Amazing reporting here, and with many similarities to Stuxnet, the other famed malware that aimed to set back Iranian efforts to build a nuclear weapon. Symantec has more in its blog, and Zetter's sidebar timeline ($) is a handy chronological guide.

OTHER NEWSY NUGGETS

Europe exporting electronic exfiltrators: Six EU member states, including Denmark, have sold surveillance tech to dozens of countries known for human rights violations. The EU's top body keeps complaining about spyware abuses across Europe but does nothing about spyware makers selling to abusive governments from its own turf. (via Bloomberg ($), Human Rights Watch)

Cisco layoffs amid 'record revenue': In the same blog post, Cisco CEO Chuck Robbins announced record revenue and double-digit growth while also laying off 4,000 people, or 5% of the company, to spend more on AI. Robbins, meanwhile, had a total compensation package of ~$53 million last year. When I asked if Robbins planned on taking a pay cut, a spokesperson wouldn't comment. (via TechCrunch ($); I wrote this story!)

Cisco's security woes hit again: Oh look, another top-severity Cisco zero-day exploited in the wild; what a surprise, it's a day ending in "y." The bug was found in Cisco's SD-WAN products, aka CVE-2026-20127. Cisco's research arm Talos — still doing good work — found exploitation dating back to at least 2023 (woooof). Per Talos, the hackers sought to "establish persistent footholds into high value organizations including critical infrastructure sectors," which… sounds a lot like Volt Typhoon again, no? (via Cisco, TechCrunch ($), @stephenfewer)

Iranian hackers targeting gas stations: U.S. officials suspect Iranian hackers are accessing unprotected automatic tank gauge systems, used by gas and petrol stations to monitor the amounts of fuel in storage tanks. (Experts say this could allow gas leaks to go undetected, for example.) This was much to the chagrin of security researchers, who've been warning about this for literally years. (via CNN ($), IFIN, @neurovagrant)

Signal, Windscribe plans to bounce from Canada: Canada is preparing to vote on Bill C-22, a new surveillance bill that would require tech companies to collect customer metadata and store it for up to a year. E2EE messaging app Signal and VPN provider Windscribe said they'd leave Canada if the bill passes rather than give up data about their customers. (via Globe and Mail ($), Juno News, @privacylawyer)

DOJ seeks to unmask app users: According to Forbes ($), the Justice Department wants Amazon, Apple, and Google to turn over the identities, addresses, and purchase histories of at least 100,000 users who downloaded the EZ Lynk app, which prosecutors accused of breaking federal emissions laws. It's a rare case of authorities trying to app users, but looks like a major overreach. 

Grand jury subpoena demands healthcare data: This is really f-ed up: The DOJ secured grand jury subpoenas for several U.S. hospitals, such as NYU Langone in New York, demanding a ton of medical records of children who received gender affirming care since 2020. This is a huge privacy risk for potentially anyone who seeks healthcare of any kind. This may start by targeting trans people, but it will not stop there. The Handbasket reports on some of those affected. More from Erin Reed.

Grafana extorted over stolen source code: Observability software Grafana says hackers (known for using credentials stolen from infostealers) broke in, stole its source code, and tried to extort the company into paying. Grafana said no, and went public instead, and blamed the breach on hackers stealing an authentication token. (via @grafana)

THE HAPPY CORNER

Ding dong! What's that sound…? Hell yeah, it's the happy corner gong!

Trust me, you'll want to read this fictional but brilliantly written "incident" report. The only remediation you need is to laugh and enjoy — and maybe hide your Yubikeys from the office dog. CVE-2024-YIKES, indeed!

A smidge of good news for Android users (running the latest Pixel phones) who will get a new Intrusion Logging feature aimed at helping to identify spyware and surveillance attacks. More words from Amnesty, which helped Google develop the feature. Plus: iOS and Android devices can now send and receive end-to-end encrypted RCS messages!

Meanwhile: It looks like the U.K. is making good on its earlier promise to shield security researchers from its decades-old hacking laws. It's a great step in the right direction (finally). 

A fab offer here from threat analysis sensei @JohnHultquist: CYBERWARCON is an absolute hoot, and I've heard SLEUTHCON is also a must-go event. 

And lastly, this week. Since vx-underground and VirusTotal have some of the world's largest repositories of malware, I wondered (disclosure alert! What would this look like, visualized stacked as hard drives, one on top of another? Guess no more…

Got good news to share? Get in touch! this@weekinsecurity.com.

CYBER CATS & FRIENDS

This week's returning cyber cat is Murphy, basking in a beautiful stream of sunlight, knowing full well that his online accounts are protected with long, unique passphrases stored in his human's password manager and multi-factorered; or better yet, protected with passkeys. Many thanks again to Matt S. for sending in!

Send in your cyber cats! ‍ Got a cat or a non-feline friend? Send me an email with their photo and name and they will be featured in a later newsletter!

SUGGESTION BOX

That's it for now! Thank you so much for reading. I won't keep you for another moment! I'm off to my local pottery studio to throw some clay. Cyber is important, but so is making stuff and being creative. Whether you're reading at home or doing something outdoors, coding for fun, or something even more adventurous, I hope you enjoy and that you have a great rest of your day, weekend, and your week.

I'll catch you next Sunday with everything you need to know from the world of cyber. Please do get in touch if you have anything to share!

Ta-ra!
@zackwhittaker