Posted on July 20, 2019 at 12:09 PM
Hackers have been able to abuse a vulnerability in software used by colleges and universities. This allowed them to gain access to student information such as Social Security numbers, personal financial information, and grades.
The US Department of Education (DoE) issued a security alert earlier this week stating that 62 universities and colleges had been affected. Data acquired by the hackers was used to create fake accounts for criminal intent.
The vulnerability impacts Ellucian Banner Enterprise Identity Services and Ellucian Banner Web Tailor, both modules of the Ellucian Banner ERP system.
It appears that attackers were able to take over user sessions when they attempted to log in.
It has been alleged that these criminal elements have actively been scouring the internet looking for institutions to target using this software flaw. This research provided them with a list of institutions to victimize. The hackers would then access the system once the user logged in. The amount of information they could obtain and how far into the systems they could get depended on the administrative rights of the user they chose to hack.
Using these means, they could eventually move laterally through the institution’s system and access personal and sensitive data – data that is usually protected by law.
Hackers were also able to potentially manipulate this information, for example, alter personal data or grades or deny students financial aid.
While there have been many reports that the data was then used for criminal purposes, no details have been provided on the nature or extent of the activity.
The FSA has stated that those affected have reported that the vulnerability was exploited to manipulate enrolment or admissions systems, as well as create hundreds of fake student accounts in a matter of days.
The chief information security officer at Ellucian emailed a statement reporting that there was no connection between the security vulnerability and the generation of fake accounts – the two issues were totally unrelated.
Ellucian operates in over 50 countries, assisting more than 2,500 institutions providing software solutions for students, colleges, and universities. With more than 5 decades of know-how, they supply software helps organize data and workflow for managing things like staff payroll, student grades, student financial aid, and admissions.
Ellucian fixed the vulnerability two months ago, with a patch that users need to download. However, the DoE stated, only this week, that hackers have started exploiting this vulnerability. It is unclear why there is a two-month gap between the creation of the patch and this statement.
On 14 May 2019, the patch was created, and an update was posted stating that a vulnerability in the user verification mechanism used by the two modules had been discovered. This weakness meant that hackers could gain remote access to hijack victims’ web sessions and access their account details.
What happens now?
Institutions who use these two modules are strongly advised to apply patches to fix any potential vulnerabilities of their system. Institutions are also encouraged to upgrade their Enterprise Identity or Web Tailor Services if they have not done so already.
It would be advisable also for institutions to contact the FSA team to determine if you have suffered a breach in data.
The latest version of Ellucian’s ERP system is Banner 9. Those institutions who have already switched to this version are believed to be unaffected by this issue.