Hackers breach 62 US colleges by exploiting ERP vulnerability

July 19, 2019

Hackers have breached the systems of 62 colleges and universities by exploiting a vulnerability in an enterprise resource planning (ERP) web app, the US Department of Education said in a security alert sent out this week.

The vulnerability is in Ellucian Banner Web Tailor, a module of the Ellucian Banner ERP that lets universities customize their front-facing web applications. The vulnerability also impacts Ellucian Banner Enterprise Identity Services, a module for managing user accounts.

Earlier this year, a security researcher named Joshua Mulliken discovered a vulnerability in the authentication mechanism used by the two modules that can allow remote attackers to hijack victims’ web sessions and gain access to their accounts.

Ellucian fixed the vulnerability in May, and a public disclosure was published, by both the researcher and NIST (see CVE-2019-8978).

Vulnerability exploited in the wild

But in a security alert published on Wednesday, the Department of Education says hackers have started exploiting this vulnerability.

“The Department has identified 62 colleges or universities that have been affected by exploitation of this vulnerability,” officials said.

“We have also recently received information that indicates criminal elements have been actively scanning the internet looking for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation.”

The Department of Education said victims of the attacks reported that after breaking into their systems, attackers “leverage scripts in the admissions or enrollment section of the affected Banner system to create multiple student accounts.”

One victim reported that the attackers created thousands of fake accounts over days, with around 600 accounts created during a 24-hour period.

Fake accounts used for “criminal activity”

Officials said the accounts were used “almost immediately for criminal activity,” but did not provide any details about the nature of the activity.

Since the Ellucian Banner Web Tailor system is connected to the rest of the ERP, department officials said they were concerned that hackers might gain access to students’ financial aid data.

Officials are now urging colleges and universities which use versions of the ERP modules that are vulnerable to apply patches.

According to its website, the Ellucian Banner ERP is used by over 1,400 colleges, universities, and other institutions. An Ellucian spokesperson did not reply to a request for additional information before this article’s publication. An update will be added, if ZDNet hears back.