- Hackers managed to find their way into the ERP systems of 62 colleges and universities in the United States.
- The US Department of Education blames an Ellucian vulnerability, but the platform denies this is the problem.
- Hackers could have accessed student financial aid information, or they may have stolen money from the educational institutes.
A per the recent report by ZDNet, the US Department of Education has circulated a security alert across 62 colleges and universities in the country that has been breached by hackers. In all cases, the attackers exploited a vulnerability in the Ellucian Banner ERP (Enterprise Resource Planning), and more specifically, a flaw in a user account management module. As a software tool, Ellucian is focused on the education market, so it is widely used in the field, with more than 1,400 educational institutes deploying it at some level.
The particular vulnerability that was exploited was known for almost two months now and was disclosed together with the release of its fixing patch. Carrying the identifier “CVE-2019-8978”, the vulnerability involves a race condition on the Ellucian Banner Web Tailor and the Banner Enterprise Identity Services, in conjunction with the SSO Manager. Even though the problem had been fixed for quite some time now, attackers still found systems that weren’t updated, and so they managed to break in. More specifically, the Department of Education states that they have monitored scanning activities that were meant to pinpoint the vulnerable targets by checking what modules are in use and what their version is.
Once the hackers established their presence in the compromised systems, they created thousands of fake accounts over a short period of just a couple of days. In the first 24 hours alone, they created 600 accounts. By then, they used these newly created accounts to dive into criminal activity almost immediately, but what this activity exactly entails was not clarified by the officials. Since many colleges and universities store the financial details of their students in their ERP systems, there is a great concern that the attackers may have stolen sensitive financial aid information.
All that said, Ellucian believes that the breaches are not a result of the aforementioned flaw, but a vulnerability that underpins a wide range of ERP products and online platforms in general. Ellucian thinks that the attackers are submitting fraudulent admission applications via the associated portals, and automate this process by using bots. This explains a large number of accounts created in such short periods of time. Ellucian recommends the addition of reCAPTCHA systems to the institutions’ Web portals that will help filter out the bots.
Update on August 12: On August 6, the Department of Education (Department) issued an update to its previous security alert (from July 17). To date, the Department has not found any instances where the known Banner vulnerability has been exploited or where it is related to the issues described in the original alert. Additionally, Ellucian has conducted its own research and monitoring that has produced no evidence of any attempt to attack the Banner vulnerability.