Scores of US colleges and universities have been compromised after hackers exploited a vulnerability in popular ERP software, according to the Department of Education.
The government revealed the campaign in an alert last week, explaining that the flaw in question exists in the Ellucian Banner Web Tailor versions 8.8.3, 8.8.4, and 8.9, and Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2, and 8.4.
The former is a module of the Ellucian Banner ERP platform which allows organizations to customize their web apps. The latter is employed to manage user accounts.
The vulnerability in question, CVE-2019-8978, is an “improper authentication” flaw which has a CVSS 3.0 score of 8.1 (high) and could allow attackers to remotely access user accounts.
“This vulnerability allows remote attackers to steal a victim's session (and cause a denial of service) by repeatedly requesting the initial Banner Web Tailor main page with the IDMSESSID cookie set to the victim's UDCID, which in the case tested is the institutional ID,” noted a NIST advisory. “During a login attempt by a victim, the attacker can leverage the race condition and will be issued the SESSID that was meant for this victim.”
The education department has now identified 62 colleges that have been affected by the flaw, after revealing that it spotted cyber-criminal actively scanning for organizations that had yet to patch.
“Victimized institutions have indicated that the attackers exploit the vulnerability and then leverage scripts in the admissions or enrolment section of the affected Banner system to create multiple student accounts,” the notice explained.
“It has been reported that at least 600 fake or fraudulent student accounts were created within a 24-hour period, with the activity continuing over multiple days resulting in the creation of thousands of fake student accounts. Some of these accounts appear to be leveraged almost immediately for criminal activity.”
It's unclear exactly what criminal activity was afoot, although the notice warned that because Banner “affects or influences all aspects of academic administration,” the vulnerability could put financial aid data at risk.
UPDATE 12/08/2019:
Research by the Department of Education has found:
- No instances where the known Banner vulnerability has been exploited or where it is related to the issues described in the original alert
- An industry-wide issue in which attackers use automation tools to submit fraudulent admission applications in order to obtain new student accounts