The Lyceum: Cyber Intelligence Daily — May 10, 2026

The week before finals just got materially worse for the 200+ million people who use Canvas — ShinyHunters breached Instructure a second time, defaced school login pages, and set a hard data-leak deadline that expires Tuesday evening. Two CISA "patch now" deadlines also expired in the last 48 hours (Ivanti EPMM and Palo Alto PAN-OS), and APT28 is back on the wire with another rapidly weaponized Microsoft Office flaw — the kind of story that keeps repeating amid collapsing patch windows. Quieter but stranger: an incident in Taiwan reportedly stopped four high-speed trains with off-the-shelf radio hardware.

• CVE-2026-6973 — Ivanti Endpoint Manager Mobile: actively exploited, on CISA KEV, federal patch deadline expired today. Affects the platform IT teams use to manage corporate phones, tablets, and laptops.
• CVE-2026-0300 — Palo Alto Networks PAN-OS: actively exploited since at least April 9, on CISA KEV, federal patch deadline expired Friday. BleepingComputer reports nearly a month of in-the-wild exploitation before broad disclosure. (bleepingcomputer.com)
• CVE-2026-42208 — BerriAI LiteLLM: actively exploited, on CISA KEV, federal patch deadline expires Monday. Affects the open-source proxy that routes traffic between corporate apps and model providers like OpenAI and Anthropic.
• Ghost CMS 6.19.0 SQL injection PoC — public proof-of-concept dropped on Exploit-DB. Inventory exposed Ghost admin endpoints; release-day PoCs typically compress time-to-mass-scanning to days.
• NocoBase 2.0.27 sandbox escape PoC — also fresh on Exploit-DB. NocoBase is a low-code backend builder; subsidiary teams often run stale versions outside central change control, which widens blast radius.

If your kid uses Canvas to submit homework, or you work at one of the roughly 9,000 schools that runs on it, the situation got materially worse this week — and it's not over yet.

ShinyHunters claimed responsibility on May 3 for a breach at Instructure, the parent company of the Canvas learning management system. The group claims to have stolen 3.65 terabytes of data — approximately 275 million records — including private messages exchanged between students and teachers. When Instructure responded with "security patches" instead of payment, ShinyHunters claimed to have hacked Instructure again, this time defacing the login pages of customer schools with an extortion message.

The new deadline is end of day Tuesday, May 12, after which ShinyHunters says everything gets leaked. There is one ambiguous signal worth watching: Instructure's listing was removed from ShinyHunters' dark web leak site shortly after the defacement. The group hasn't explained the removal, but historically they delist victims who at minimum open a channel of communication. Whether that means a payment is coming, or just a conversation, isn't yet clear.

Instructure CISO Steve Proud confirmed the stolen data includes names, email addresses, student ID numbers, and messages exchanged by users — but says there's no evidence passwords, dates of birth, government IDs, or financial information were involved. That's the good news. The bad news is that, per Times Higher Education's reporting, researchers expect a wave of highly personalized phishing in the coming weeks: the attackers have students' actual course names, real professor names, and message history to make their lures look authentic.

What to watch: if Instructure goes dark again Tuesday evening, or if data starts surfacing on leak sites Wednesday morning, negotiations failed. If neither happens, it may indicate a payment or other resolution — and the precedent that sets for the education sector is its own problem.

There's a pattern worth naming explicitly, as it has repeated: APT28 — Russia's GRU-linked Unit 26165, which Ukraine tracks as UAC-0001 — is now routinely weaponizing newly disclosed Microsoft Office vulnerabilities within roughly 24 hours of public disclosure. SecurityWeek flagged the latest instance this week, and the pattern matters more than any single CVE.

The current campaign centers on CVE-2026-21509, a security feature bypass in Microsoft Office. Per Trellix research, APT28 weaponized the vulnerability within 24 hours of its disclosure, targeting maritime and transport organizations across Poland, Slovenia, Turkey, Greece, the UAE, and Ukraine. The infection chain — documented by The Hacker News — drops a loader called SimpleLoader, which in turn delivers either NotDoor or a COVENANT Grunt Beacon, ultimately reaching for a backdoor called BEARDSHELL hosted behind cloud storage.

What changes if this pattern holds: the patch window collapses to zero. Any organization that doesn't deploy Microsoft updates the same day they ship is, in practical terms, unpatched against APT28. CSO Online's reporting on the campaign frames this as APT28 displaying a tempo few groups match. The signal that tells you which way this goes: the next Patch Tuesday is May 13. If a meaningful Office or Windows flaw drops, assume APT28 has working code by Wednesday morning and plan deployment accordingly.

CERT-UA Advisory #19542 documents this campaign as ongoing against Ukrainian and EU targets. If you haven't applied the CVE-2026-21509 patch, do that now. If you have, verify it actually deployed — patch management consoles sometimes report success when the underlying update didn't fully apply.

Reports on social media say someone disrupted Taiwan High Speed Rail operations this week, stopping four trains by using software-defined radios — commodity hardware that can transmit and receive across a wide frequency range — to interfere with rail signaling. The story is generating significant community discussion, but as of this writing the technical specifics haven't been independently confirmed by a Tier 1 source. Treat this as a strong early signal pending an official statement from Taiwan's transport authority or TWCERT.

What makes it worth flagging even at this stage is the attack surface it implies. High-speed rail systems in Taiwan, Japan, and across Europe rely on radio-based train control — protocols designed for reliability and safety, not adversarial radio environments. The 2023 Polish rail disruption (where attackers used radio stop commands to halt trains) showed this isn't theoretical. If off-the-shelf SDR hardware can stop four trains, the question isn't whether nation-state actors have noticed this attack class — it's whether they've been quietly using it for years.

What changes if this is confirmed: rail signaling joins the small but growing list of physical-world systems where the attack surface is the radio spectrum itself, and "patch the firmware" isn't a meaningful response. Watch for an official Taiwan Railway Bureau or TWCERT statement; if none materializes within 72 hours, that will be a signal about institutional readiness.

CISA quietly added two vulnerabilities to its Known Exploited Vulnerabilities catalog this week, and the more interesting one is generating almost no English-language coverage yet: CVE-2026-32202, a Microsoft Windows Protection Mechanism Failure. The other addition was CVE-2024-1708, a ConnectWise ScreenConnect path traversal flaw whose reappearance in KEV suggests exploitation is broadening beyond the Interlock ransomware operators previously documented using ScreenConnect for redundant access.

"Protection mechanism failure" as a CVE class typically means a security boundary Windows relies on to contain damage has been bypassed. The fact that it's landing in KEV means someone is using it in the wild right now — not in a lab. What's unusual is the silence around it: a KEV entry with no accompanying advisory or vendor blog post often leaves defenders with little contextual guidance as they prioritize patches.

The signal to watch: if Microsoft publishes a security advisory in the next 72 hours pointing to a privilege escalation or sandbox escape, the picture clarifies. If it doesn't, defenders are patching against an unknown attack surface while exploitation continues.

Ukraine's national cyber agency published advisory #20032 documenting threat cluster UAC-0252 running a campaign that deploys two credential-stealing tools — SHADOWSNIFF and SALATSTEALER — against targets that the agency hasn't yet fully enumerated in English. Credential stealers are the unglamorous workhorses of modern espionage: they don't make ransomware-style headlines, but they're often the first step. An attacker harvests your credentials, logs into your VPN or email, and then has weeks of quiet access before anyone notices. UAC-0252 appears to be running a parallel track to the UAC-0247 campaign (CHROMELEVATOR, ZAPIXDESK) covered in this newsletter on Saturday — different tooling, similar objectives. If your organization touches Ukrainian government, defense, or civil society networks, audit credential exposure now; Western threat-intel writeups typically follow CERT-UA advisories by 48 to 72 hours. Source: CERT-UA Advisory #20032 — Ukrainian. No English-language coverage confirmed at time of publication.

CERT-UA Advisory #17479 documents UAC-0245 deploying a backdoor called CABINETRAT in targeted attacks against Ukrainian defense organizations (СОУ — Сили оборони України, the Defense Forces of Ukraine). The advisory is the only public record of CABINETRAT to date. Backdoor families specifically positioned against defense supply chains tend to surface in Western reporting weeks later, usually after a Five Eyes partner picks up the indicators in their own telemetry. The naming convention and targeting pattern suggest a Russian-aligned operator, though CERT-UA has not formally attributed UAC-0245 to a known foreign group. Source: CERT-UA Advisory #17479 — Ukrainian. No English-language coverage confirmed at time of publication.

This week: an incident reportedly stopped four bullet trains with a $30 radio, a ransomware crew deleted itself from its own leak site like a teenager unsending a text, and 275 million Canvas messages between students and teachers became a Tuesday-night countdown clock. Somewhere in Moscow a GRU operator is reading the May 13 Patch Tuesday calendar like the rest of us read a takeout menu.

Stay paranoid.

Forward this to the friend who still keeps their VPN on default credentials — they'll thank you eventually.