Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Hackers Compromise 62 Colleges via Campus ERP Platform

Hackers have managed to compromise 62 colleges and universities by exploiting a vulnerability in the Ellucian Banner system, the U.S. Department of Education warns.

Hackers have managed to compromise 62 colleges and universities by exploiting a vulnerability in the Ellucian Banner system, the U.S. Department of Education warns.

The vulnerability resides in Banner Web Tailor, a tool designed for registration, curriculum management, advising, administration, and reporting. It allows students to access and change their registration, graduation, and financial aid information. Ellucian Banner Enterprise Identity Services is also impacted. 

Tracked as CVE-2019-8978, the issue is triggered when SSO Manager is used as the authentication mechanism for Web Tailor. This could result in information disclosure and loss of data integrity for the impacted users, Joshua Mulliken explains in an advisory

The vulnerability was discovered in December 2018 and a patch has been available for a couple of months. Only Ellucian Banner Web Tailor versions 8.8.3, and 8.8.4, and Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2, and 8.4 are affected by the security flaw. 

Attackers targeting the vulnerability can steal a victim’s session and then log into the Banner system. The attackers would then be able to perform various operations, depending on the administrative privileges granted to the affected account. 

“The Department has identified 62 colleges or universities that have been affected by exploitation of this vulnerability. We have also recently received information that indicates criminal elements have been actively scanning the internet looking for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation,” the Department of Education warns.

Once the attackers gain access to the system, they leverage scripts in the admissions or enrollment sections to create multiple student accounts, the alert reads. 

Affected institutions reported the creation of at least 600 fake or fraudulent student accounts within a 24-hour period. Over the course of multiple days, the attackers created thousands of fake student accounts, some of which were leveraged almost immediately for criminal activity. 

Advertisement. Scroll to continue reading.

“Although it was reported that attackers can leverage the vulnerability discussed above to create accounts, Ellucian believes this is not correct. The issue described in the alert is not believed to be related to the previously patched Ellucian Banner System vulnerability and is not exclusive to institutions using Ellucian products,” Ellucian claims

The company notes that the attackers are utilizing bots to submit fraudulent admissions applications and to obtain institution email addresses through accessing application portals.

The company also notes that, while Banner Web Tailor 8.9 was also listed as affected by the vulnerability, it is not affected. Patches for the impacted software versions were released on May 14, 2019 and are included in all subsequent roll-up software releases, the company says. 

“There is no indication that student or institutional data has been compromised. The patched vulnerability is extremely difficult to exploit and unlikely to occur outside of a laboratory setting,” Ellucian says. 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.