A

How are those stubborn access brokers Getting by in 2026? We'll talk about it on this episode of Safe Mode. Welcome to Safe Mode. I'm Greg Otto, editor in chief at cyberscoop. Every week we break down the most pressing security issues in technology, providing you the knowledge and the tools to stay ahead of the latest threats, while also taking you behind the scenes of the biggest stories in cybersecurity.

B

An attack is coming.

A

It's about keeping us safe.

C

He's just a disgruntled hacker.

B

She's a super hacker.

A

Stay alert.

C

Stay safe.

A

Stay Safe. This is SafeMoo mode. Welcome to this week's episode of Safe Mode. I am your host, Greg Otto. In our interview segment, we're going to be talking with Anna Fam, a security researcher with Huntress Labs, talked with Anna out at RSA about access brokers and what we're seeing in the threat landscape. Look, we've been talking about AI a lot, so I wanted to take it an entirely different direction this episode. So we're going with a little bit something more tried and true, talking about the threat intel space and what we are seeing with internal access brokers and the ransomware landscape. But first, talking with Matt Kapco. Speaking of access brokers and more, quote, unquote, traditional threats. We had a breach that broke containment. I guess that you could say we talk about all types of breaches on the pages of cyberscoop and here on Safe Mode. But we saw a lot of national coverage of this Canvas cyber attack over the past weekend and I feel like once it sort of died out over the weekend, there was Matt Kapko to, to fill us in on some more details. So, Matt, thanks for hopping aboard. Let's talk about what happened. We know Canvas is up and running, but a lot's been going on since then. So fill us in on where we're at.

B

Yeah, I appreciate it. Thanks for having me on, Greg. So, yeah, this data theft, extortion attack on Canvas, it's a widely used education tech platform. This is used in K12 and higher education. Took a lot of twists and turns over the past week. It came to a relatively anti climatic finish Monday night when Instructure, the company behind the platform, said it reached an agreement with the cybercriminals who threatened to leak 3.65 terabits of data, terabytes of data, including 275 million records. This spread across over 8,800 school systems. So the company didn't outright say that it paid a ransom to resolve this attack. But a deal with a financially motivated cybercrime group can really only mean one thing. It's extremely rare for a company to admit it paid a ransom in cases like this. But that's effectively what happened here.

A

So with that, yeah, the company did not come out and say anything. But yes, just to reiterate here, there's subtext here. And yes, they, they, the, the company did not come out and say they paid a ransom. But it's not like the, the, the group responsible for this felt bad and went, oh, okay, well, we'll, we'll just hand back this data and, and will hit the rewind button. Over the past two weeks. No, there was probably some money exchanged.

B

Very likely, yes. And you're right, they did not say that outright, but it's assumed the threat group calling itself Shiny Hunters claimed responsibility for the attack. Researchers describe this group as a decentralized crew of prolific cybercriminals. They've hit major cloud platforms in the past, like Salesforce and Snowflake, among many other businesses. So they're well known in this industry.

A

Yeah. Is this the, the group. Look, we've done a lot of reporting in that vein. Is this, does this look to. Not necessarily related to these past instances, but this looks to be a group that could possibly have connections to what we saw at Sales Loft or some of the other third party breaches that we did see over the past year that you've reported on.

B

That's correct, yeah. Everything indicates it's the same group or same individuals behind those attacks.

A

So from what you've talked to your sources about, has there been any real ballpark of, of what we've seen in terms of a ransom? Because look, this group is pretty notorious. While there is something paid, we're not talking like thousands of dollars here. It's probably into the millions. And I go back to what we saw with Power School, another edtech platform that they paid millions of dollars to. So I'm wondering, while there may not be, you know, around a direct figure out there, I'm wondering if you've gotten any info as to whether there has been an estimate as to what we could see in terms of a ransom.

B

Yeah, I'm trying. Nothing confirmed yet, but I think you're on the right page. It's very likely in the millions of dollars. Just the scope of this attack. Some researchers that I talked to said it's the most significant attack in education sector this year, perhaps longer when it's affecting nationwide. Many, many students and teachers use cannabis. It's a very popular and widely used program.

A

So what else do we know about the remediation here? I know that you talk to a lot of researchers in terms of, you know, the, the cascading effects of this and yes, the service came back up. But what else do we know as far as what has gone on since the Good Morning Americas of the world have turned. Turned back to more general news.

B

Yeah, that's right. I mean, I think the timeline here and what went on is really a good example of how things can go from bad to worse. So over the weekend, the company was under pretty serious pressure in the wake of the attack and things took a turn after there was a follow on attack on its systems. So the company said that the attackers initially gained access to Canvas in late April by exploiting an issue in its free for teacher accounts. Soon after that, they said it was contained and that Canvas remained operational. The attacker's initial deadline passed without payment. The threat group then took additional steps to deface Canvas login pages, which school staff, parents and students all encountered. That happened before Instructure then decided to take the system offline. That complete outage is what caught national attention, right? It disrupted schoolwork, testing was canceled, access to critical systems nationwide was, was all down. So Canvas was back online and fully operational by the next day. But access was still spotty well into this week. A lot of schools were doing their own internal checks, right, to make sure that the system was secure and they didn't want to just turn it on quickly. So that took time. But by the weekend, Instructure CEO Steve Daly was apologizing for the company's inconsistent and deficient public response to the attack. Pledged to improve. He also at that time admitted that usernames, email addresses, course information and enrollment information, also messages between staff, parents and students, was, was all exposed by this attack. So pretty much.

A

What? Yeah. What type of information? Think about it in terms of all these schools that you just. And like you said, it is K12. But this couldn't have come at a worse time because it is finals time for all of the colleges that are using this platform. And you grind colleges to a halt during finals week and it is chaos. I mean, that's exactly what it results in.

B

Yeah, it's almost like it was done on purpose at this time. I mean, ultimate leverage at one of the most important points of any school year.

A

But what other data? I know you talked about names, addresses and enrollment, but what other data? Like, I think it's good to, you know, we talk about PII so much and of course, names, addresses, all of that is pretty standard. But what other sensitive information could have been rolled up into these records that this group threatened to leak?

B

Yeah, I think based on what they've admitted was leaked so far, I think those internal messages are. Could be the damning or damaging. You know, we're talking about children here, the messages that they're having with their teachers, with staff, lots of internal communications there. This is like a central hub for a lot of school systems. So much of everything occurs across this system. Those messages would be like Slack would be for many enterprises. So lots of sensitive information could be there.

A

Well, unfortunately, Matt, I don't think Shiny Hunters is going to be going away anytime soon. So a brace for having you on again to talk about what other problems they have caused our society when it comes to these schemes that they keep launching. So thank you for keeping us abreast on all this. This was a big one. And I'm sure there will be more fallout, too, that you'll keep our readers up to date on as it comes out.

B

Of course. Thank you so much for having me on, Greg.

A

Thank you. Joining us on our interview segment this week is Anafam, security researcher with Huntress. And we're talking about the landscape of internal access brokers and the tactics they continue to use to support ransomware operations. We explain a lot about what we're really seeing in 2026, because internal access brokers are extremely, extremely stubborn, even as the infosteeler malware that they use gets taken offline by law enforcement. We talk about fake browser updates, click FIC, attacks, exposed RDPs, all of the ways that these groups continue to pull information and sell it off to the ransomware groups. So we really do get into what defenders can do as well, what they can do to look for ransomware deployment, why endpoint visibility is so important, and why. Yes, of course. Why cyber hygiene still matters. Yes, I know you're probably rolling your eyes hearing that, but guess what? It still matters. It absolutely still matters. And internal access brokers are still taking advantage of bad hygiene. So we have another reminder for you to keep up with that hygiene. Check out our interview with Anna next. All right, joining us on this week's episode, Safe Mode, is Anna Palm, a senior tactical response analyst at Huntress. I nailed that. There we go. Okay, we got the title. We're here at the 2026 RSAC conference talking with Anna, who has been giving some presentations around initial access Brokerage and Sahush. And while AI is everywhere, the threats are still out there. In, I guess you could say, I don't know, traditional is the right word. But definitely ransomware is still a big, big threat and initial access brokers are definitely part of that chain and we've been doing a lot of work there. So diving into it, what have we been seeing over the past year when it comes to initial access brokers? What vectors are you seeing more of for what is declining or what does the landscape look like there?

C

So right now we're seeing a lot of like drive by downloads, like Trojanized installers, people like searching for a signal messaging app, you know, like fake, you know, just Spotify or other like, you know, any desk, right. And they would get the malicious version of it, download it and then it will drop like a C2 framework, right. We also see a lot of fake update pages, like when, you know, they compromise millions of websites, like Sockolish. Right. And then people visit the WordPress sites to like read news or like search for like certain articles that they're interested in. And they would be redirected to the fake browser update page and you know, it would prompt the user to update the browser and they would download the JavaScript payloads. That's been very efficient. We've seen like over thousands of cases for the past year. And another technique is Qlik fix for sure. So that's another threat actor that's working pretty closely with Saw Gaulish, I would think. So they are delivering their payloads through the click fix attacks.

A

So the initial part of what you were talking about there, the fake Spotify or fake Ambisk downloads, that almost seems so antiquated to me at this point given the threat landscape. But you're still saying that this is still paying dividends for these brokers?

C

Yes, we're seeing, yeah, we're seeing still a lot of that happening. And you know, if you remember a few years ago with the Google Ads, right, they would always like, yeah, malvertizing. They'll put like the first results in the search, right? And we've seen that lately actually with the rogue RMMs during the tax season, right, when people would search for like, you know, like tax and W2 form. And the first link was the Google link. So they would go there, right, and download the screen, connect, instance the rmm and that would give the threat actors access to like we saw them dropping the bring your own vulnerable driver to disable EDRs and antiviruses too. So that was pretty interesting case that we're looking into.

A

So with what you are tracking on the marketplaces, what does Quote, unquote, good access. Look right now like what attributes are being constantly monetized?

C

I think right now the access to the environment, like rdp, right. So they're looking for that, anything that exposes the, you know, the organizations and especially the organizations that have high profits. So they would check like how much money the company is making that they, you know, attack and they would open the boards, RDP boards. So they would hand it off to ransomware actors, right? So they can just enter it easily. So that's the initial access broker schema and the other side of threat actors, like ecosystem. Because it's like a supply chain, right? Because there are also threat actors out there selling access, buying access and deploying ransomware. And they would sell the just stolen credentials to monetize crypto wallet addresses, so banking passwords, they can easily like monetize that and stealing the identities too, right? Social Security.

A

So you don't see them being more granular about the technology that they're advertising, whether it might be like a SaaS only platform or a privilege level. Like do they reveal like the extent of what they had access to or is it just like you were saying, just credentials itself and it's like, okay, I got the credentials, you guys can figure it out.

C

Yeah, they do reveal that in like the you know, underground forums, right? Russian hacking forums, like exploit forums, XSS forums. They would advertise like what access we have, how much profit the company has. And this is the price right? In the Russian market, you know, you would go there and you would see like they would advertise like what credentials they have like for certain sites or for the certain emails, right?

A

So, so once that access is leveraged, what are the most common tooling patterns you're seeing in like a pre ransom stage that correlate with strongly internal access, broker source access. Like where is the chain going that once that access is told, where is the next step that you're seeing most time of?

C

So the one the access is sold, you know, like we see a lot of, we see a lot of actually like 90% of the times ransomware attack starts with like exposed RDP and VPN and you know like we've seen a lot of like sonicwall like vulnerabilities and fortinet, you know, it's been always a thing and then like the next, within the few hours, the next few hours, like few days we would see like play ransomware being deployed after like a fortinet compromise or Akira after Sonicwall. So that's usually how they enter they would like search on Census or Shodan. Right. The exposed ports, like if the clients have the exposed, you know, firewall, they would try to brute force the passwords. Right. Of the users and especially like some people that don't have MFA enabled on their vpn. So easy access for them.

A

I do feel that the VPN part of it, it has just been such a weak point for. I feel like, I'm sure it's going back longer, but it feels like especially over the past three years, I mean we've written a lot of stories about Avanti. I know you said Fortnite, you said Sonicwall. It feels like they are really under the gun with the stuff. And it is really shown to be a weak point in enterprise systems using these legacy VPNs, the attackers just know that if they have, if they have access to one of them, they're probably golden when it comes to them.

C

Exactly, yes. And companies again, like tend to, you know, pay because they don't want to lose the data and they don't want to like be extorted. Right.

A

Um, so that's so in the data that you see what are the highest signal indicators that access is being like stabilized for resale versus used immediately and just going, this isn't going to be out here that like this is a one time only thing. If we burn this, it's going to be burned. Like how much do you see the marketplace reacting or sort of leveraging that model of going, okay, this is going to be open for a while versus this is a good one and it's going to be gone come now or forever hold your peace.

C

Yeah. Usually the access is very lucrative for threat actors. When they see the high profit for the company and they know that they're likely going to pay and the easy access like expose RDP and they can just get in. Right. Whether compared to other accesses where they have to do more to like get into the network, you know, and move laterally, escalate the privileges. So with that, you know, the ransomware actor was just jumping right away. Right. If the, you know, pricing is good and they make like a lot of money like the company. Right. You will see like it being gone within like two, three days.

A

So how do you see the handoff working when an access broker actually makes a transaction? Or is it just a clean transfer or are they sharing infrastructure based on what they want to accomplish? Or is it a buyer is bringing their own tooling and going, okay, thanks for the purchase, we'll take it from here.

C

Yeah. So I think that, you know, they have like the internal, like the whole ecosystem going on, like communications. Right. So we don't have that visibility, unfortunately. But yeah, usually they'll have like a list of clients like the portal, the panel, Ray, and be like, yeah, we're selling like this for this price and this for this price. Right. And Sagollish working together with Cantuk, they're probably sharing the same panel, you know, to sell their initial access to ransomware predators. Right. Where they have all the clients data and they kind of like categorize it by the pricing and profit.

A

So what would you say in terms of like, is there a way for defenders to find out before ransomware attack occurs? Basically in between, almost like access brokers have made a sale and ransomware actors are poking around, like, what are the earliest recognizable behaviors before encryption or exfil that we have a problem, it could be worse, but there's somebody poking around in things might get a lot worse, but now's the time to take action. What is that?

C

Usually, you know, some of our clients, they have like FBI messaging them even like, because they have some resources saying like, hey, like these ransomware threat actors are poking around your environment used to

A

be big on that too.

C

Yeah. And usually they have access right to the back end, like infrastructure of threat actors and they see the customer data in there and they see what they're going to do and they receive those notifications. But when the threat actor is actually poking inside the environment, you would see just like reconnaissance commands. Drop them. Dropping advanced IP scanner under the public folder. They'll just try to poke around, see what's going to happen. Create the backdoor user account, the administrator account, or they change the administrator password to what they prefer so they can easily log in and move laterally. Enabling RDP ports enable so they can RDP into other machines easily. Yeah, we see that a lot. Like dump credential dumping too. Right.

A

So what are you seeing in terms of defenders missing the early signs? Like, we had data, but we missed those gaps. Like a lot of those. Is it just a lot of the examples that you brought up? Is it just a matter of security teams not checking through those alerts? Because we know that there's alert fatigue out there. So I'm wondering, is it just a matter of not paying attention or missing something? Or is it a mix of skill on the ransomware actor's part where it's like, no, we're actually going to make sure that our work is good and not trigger anything and launch our schemes as best we can.

C

This is actually a great question, you know, because in cases where we see the ransomware events actually happening, occurring, we usually don't have our endpoints deployed on all hosts. It was just maybe that 10 hosts and they kind of like touched the host that we did not monitor. So we did not have visibility to that at all. Right. And when they already got to the domain controllers, that's game over. They already encrypted the files and we're like looking at the agents we have installed like, well, we're not installed everywhere. So we could not stop that from happening because they move laterally so fast from one machine to another. And I think that's the gap because we're not deployed everywhere, we're lacking the visibility into the endpoints. Right, so and then once they get to your servers to EVM like backups, right, it's gone.

A

Yeah, yeah. And you know, once they're just once they're there, the things are going to get bad. Right. So kind of in the same vein, what hardening actions most reduce access brokers ROI without like a massive spend. Like what can be done without buying eight different backup services or you know, ripping out every VPN because look, this stuff does get expensive and CISOs obviously have to make a budgetary decision. So what can be done that is a hardening action but isn't necessarily just, oh, let's rebuild the whole system so we don't have this problem anymore.

C

Yeah. Security awareness training of course is important, right, because we still see like malware as a service delivering like again being initial access brokers. So training people around the click fix theme. Right? The drive by downloads, again very efficient. Another way is to stop exposing your DP ports, right? Stop exposing your LDAP or SMB, all of that because you know, that's like they just, you know, hotspot for the threat actors you just attack and the easy like low hanging fruits, right? Enable like complex passwords for your VPN credentials, enable MFA multifactor authentication. It's very important because again, brute forcing it works.

A

Right, what about the non human identities part of this too? Because I know inside enterprises with the advent of AI, so much is being farmed out to not so much now, but it's going to come like just gigantic AI. And there's obviously non human identities that are inside enterprises right now that are doing automated work. So I'm wondering what more could be done in that side of things. Because the attackers clearly know that some of these identities don't have a human attached to It.

C

Are you talking about the AI? Let's just say it sure.

A

Agentic AI, there's a little bit of AI, but then also just non human identities inside an enterprise for whatever purposes that are guarding. Not so much guarding, but protecting those systems the way that they're being used depending on what enterprise it is. So is that something that needs to be working to the calculus as well?

C

I don't think so. Because you know like at Hunters we use agentic AI, right. But we still need a human to operate behind that. I don't think like other companies would ever like put AI in front of the door to protect. Right. Because we cannot still trust AI 100%. It hallucinates as we've seen before. And I do, I would not recommend just use AI without a human driving being behind the wheels.

A

So what is the next big shift for internal access brokers? Is it more the same or where do you see them moving?

C

I see them, you know, moving to again like, you know like low hanging fruits, right. VPN exposed ports. Because malware as a service, it does not work really well now because we have all these fancy ADR tools that stop them. We have Defender, right click fix is not working that well anymore. Like you know, okay. I mean the user pays the command, execute it. But it won't go too far if you have like the EDR solutions. Right. So they have to come up with something like better right. Whether it's going to be exploding vulnerability. But more and more often we see again like exposed ports, RDP ports, VPN being initial access. And I'm seeing them moving towards that because it works, right.

A

It's almost like, I'm going to say it just sounds like, it really does sound like more of the same. Like it just seems that they have the method to their madness and they continue using it just because it continues to work. So it doesn't sound like they're moving off of anything, just the ports. Like you just said, ports, VPNs. It just sounds like this scheme continues to proliferate using the same strategies that they've always used.

C

Yeah, because like a lot of times when we say to the client hey, you have like RD web RDP exposed, they would have no idea this like oh, we didn't know this machine was exposing this. Like you know, let us go and close it. So clients sometimes have no clue, right.

A

And so it really does sound like a lot of this just comes down to cyber hygiene. And the big cyber hygiene part being visibility, which is feel like, I don't know in your opinion, it seems easier said than done. Like I talk to both in the public sector and the private sector CISOs that you know, are tasked with defending their enterprises and we talk about visibility and they roll their eyes because they're like what do you want me to do? Like I have thousands upon thousands of endpoints. Like it's. It's really an impossibility is. Do you hear the same thing or.

C

It's a lot of work. It's a lot of work. That's why we see a lot of companies hire pen testers to just, you know, find the weak spot and that's how you can usually prevent yourself. Like you know where your weak spot is, you know where your exposed ports are at because you've been like, you know, you know, using the penetration testing solutions. I feel like.

A

So is there anything else besides visibility that can help cut down this issue is I have imagined on the identity side, is it a lot more in the same cyber hygiene? That's password managers.

C

Oh yeah.

A

A normal like key rotation audit auditing who has access to what. A lot of the same there.

C

Yeah like least privilege, you know, make sure that you don't have enough privileges. So if they attack your account, they have to come credentials to your account then you don't have enough privileges to move laterally to domain controllers and do bad stuff there. Right. That's perfect. But yeah. So it's like complex passwords again. Right again mfa. Even with password managers, if they get to get the. Some of the stealers they get the credentials like the master passwords, the configuration files for the password managers. So make sure the master passwords are also complicated. Right. Long not like 1234 like password somewhere 2018.

A

Yeah, I do all the same password managers. Hey, covering this for a decade I've. I've managed to put my own cyber hygiene into it. So I guess a lot of enterprises could follow that advice too.

C

Yeah, that's. That's super cool. And make sure your browsers are updated right to the newest version. Again like with Chrome being like the. The newer version 1.35 and up, the developer kind of made it harder to for stealer to like decrypt the cookies. So they have to do like, they have to go extra step to be able take to get the decryption key to decrypt the Google Chrome cookies or Chromium cookies. Cookies. Right. So in order to do that they'll have to like inject themselves under the trusted Google Chrome process and then you know, grab the decryption key which is going to be, you know, a bit more, more steps for the threat actors, more steps for stealers. And by the time when they're going to do some injections under a certain process, the EDR would flag it, right? Or the monitoring tools. So make sure you keep everything up to date and patched.

A

There we go. Hey, even in the world of identic AI and all the new technology that's being talked about at this conference, it's still good to have a conversation. Say, hey, the basics still matter. Change passwords, patch your stuff, watch reports, and we'll avoid the initial access brokers. So, Anna, thanks for joining the program. I really appreciate your time.

C

Yep, thank you so much for having me. Appreciate that.

A

Thanks for listening to Safe Mode, a weekly podcast on cybersecurity and digital privacy brought to you by cyberscoop. If you enjoyed this episode, please leave a rating and a review and share it with your friends, your co workers, your sizzos, your sysadmins, your mom, your dad. Anybody that wants to know more about cyber security. To find out more information or to contact me, please look for all of our social media handles or visit cyberscoop.com thanks for listening. Check us out next week. Sam.