[BreachExchange] Over 60 US Colleges Compromised by ERP Exploit

Destry Winant destry at riskbasedsecurity.com
Tue Jul 23 01:44:16 EDT 2019 

https://www.infosecurity-magazine.com/news/over-60-us-colleges-compromised-by/

Scores of US colleges and universities have been compromised after
hackers exploited a vulnerability in popular ERP software, according
to the Department of Education.

The government revealed the campaign in an alert last week, explaining
that the flaw in question exists in the Ellucian Banner Web Tailor
versions 8.8.3, 8.8.4, and 8.9, and Banner Enterprise Identity
Services versions 8.3, 8.3.1, 8.3.2, and 8.4.

The former is a module of the Ellucian Banner ERP platform which
allows organizations to customize their web apps. The latter is
employed to manage user accounts.

The vulnerability in question, CVE-2019-8978, is an “improper
authentication” flaw which has a CVSS 3.0 score of 8.1 (high) and
could allow attackers to remotely access user accounts.

“This vulnerability allows remote attackers to steal a victim's
session (and cause a denial of service) by repeatedly requesting the
initial Banner Web Tailor main page with the IDMSESSID cookie set to
the victim's UDCID, which in the case tested is the institutional ID,”
noted a NIST advisory. “During a login attempt by a victim, the
attacker can leverage the race condition and will be issued the SESSID
that was meant for this victim.”

The education department has now identified 62 colleges that have been
affected by the flaw, after revealing that it spotted cyber-criminal
actively scanning for organizations that had yet to patch.

“Victimized institutions have indicated that the attackers exploit the
vulnerability and then leverage scripts in the admissions or enrolment
section of the affected Banner system to create multiple student
accounts,” the notice explained.

“It has been reported that at least 600 fake or fraudulent student
accounts were created within a 24-hour period, with the activity
continuing over multiple days resulting in the creation of thousands
of fake student accounts. Some of these accounts appear to be
leveraged almost immediately for criminal activity.”

It's unclear exactly what criminal activity was afoot, although the
notice warned that because Banner “affects or influences all aspects
of academic administration,” the vulnerability could put financial aid
data at risk.

More information about the BreachExchange mailing list