Hackers have breached the systems of 62 colleges and universities by exploiting a vulnerability in an enterprise resource planning (ERP) web app, the US Department of Education said in a security alert sent out this week.
The vulnerability is in Ellucian Banner Web Tailor, a module of the Ellucian Banner ERP that lets universities customize their front-facing web applications. The vulnerability also impacts Ellucian Banner Enterprise Identity Services, a module for managing user accounts.
Earlier this year, a security researcher named Joshua Mulliken discovered a vulnerability in the authentication mechanism used by the two modules that can allow remote attackers to hijack victims’ web sessions and gain access to their accounts.
Ellucian fixed the vulnerability in May, and a public disclosure was published, by both the researcher and NIST (see CVE-2019-8978).
Vulnerability exploited in the wild
But in a security alert published on Wednesday, the Department of Education says hackers have started exploiting this vulnerability.
“The Department has identified 62 colleges or universities that have been affected by exploitation of this vulnerability,” officials said.
“We have also recently received information that indicates criminal elements have been actively scanning the internet looking for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation.”
The Department of Education said victims of the attacks reported that after breaking into their systems, attackers “leverage scripts in the admissions or enrollment section of the affected Banner system to create multiple student accounts.”
One victim reported that the attackers created thousands of fake accounts over days, with around 600 accounts created during a 24-hour period.
Fake accounts used for “criminal activity”
Officials said the accounts were used “almost immediately for criminal activity,” but did not provide any details about the nature of the activity.
Since the Ellucian Banner Web Tailor system is connected to the rest of the ERP, department officials said they were concerned that hackers might gain access to students’ financial aid data.
Officials are now urging colleges and universities which use versions of the ERP modules that are vulnerable to apply patches.
According to its website, the Ellucian Banner ERP is used by over 1,400 colleges, universities, and other institutions. An Ellucian spokesperson did not reply to a request for additional information before this article’s publication. An update will be added, if ZDNet hears back.
More data breach coverage:
- Marriott faces $123 million GDPR fine in the UK for last year’s data breach
- Hacker steals data of millions of Bulgarians, emails it to local media
- Bulgaria’s hacked database is now available on hacking forums
- Bitpoint cryptocurrency exchange hacked for $32 million
- Slack resets passwords for 1% of its users because of 2015 hack
- Pale Moon says hackers added malware to older browser versions
- A hacker assault left mobile carriers open to network shutdown CNET
- 90% of data breaches in US occur in New York and California TechRepublic
Article source: https://www.zdnet.com/article/hackers-breach-62-us-colleges-by-exploiting-erp-vulnerability/#ftag=RSSbaffb68