Hackers Compromise 62 Colleges via Campus ERP Platform

Hackers have managed to compromise 62 colleges and universities by exploiting a vulnerability in the Ellucian Banner system, the U.S. Department of Education warns.

The vulnerability resides in Banner Web Tailor, a tool designed for registration, curriculum management, advising, administration, and reporting. It allows students to access and change their registration, graduation, and financial aid information. Ellucian Banner Enterprise Identity Services is also impacted. 

Tracked as CVE-2019-8978, the issue is triggered when SSO Manager is used as the authentication mechanism for Web Tailor. This could result in information disclosure and loss of data integrity for the impacted users, Joshua Mulliken explains in an advisory. 

The vulnerability was discovered in December 2018 and a patch has been available for a couple of months. Only Ellucian Banner Web Tailor versions 8.8.3, and 8.8.4, and Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2, and 8.4 are affected by the security flaw. 

Attackers targeting the vulnerability can steal a victim’s session and then log into the Banner system. The attackers would then be able to perform various operations, depending on the administrative privileges granted to the affected account. 

“The Department has identified 62 colleges or universities that have been affected by exploitation of this vulnerability. We have also recently received information that indicates criminal elements have been actively scanning the internet looking for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation,” the Department of Education warns.

Once the attackers gain access to the system, they leverage scripts in the admissions or enrollment sections to create multiple student accounts, the alert reads. 

Affected institutions reported the creation of at least 600 fake or fraudulent student accounts within a 24-hour period. Over the course of multiple days, the attackers created thousands of fake student accounts, some of which were leveraged almost immediately for criminal activity. 

“Although it was reported that attackers can leverage the vulnerability discussed above to create accounts, Ellucian believes this is not correct. The issue described in the alert is not believed to be related to the previously patched Ellucian Banner System vulnerability and is not exclusive to institutions using Ellucian products,” Ellucian claims. 

The company notes that the attackers are utilizing bots to submit fraudulent admissions applications and to obtain institution email addresses through accessing application portals.

The company also notes that, while Banner Web Tailor 8.9 was also listed as affected by the vulnerability, it is not affected. Patches for the impacted software versions were released on May 14, 2019 and are included in all subsequent roll-up software releases, the company says. 

“There is no indication that student or institutional data has been compromised. The patched vulnerability is extremely difficult to exploit and unlikely to occur outside of a laboratory setting,” Ellucian says.