Hackers target 62 US colleges by exploiting ERP vulnerability

Attacks failed; however, the Department of Education is alerting colleges about ongoing exploitation attempts.

college university

Update on August 7: On August 6, the Department of Education issued an update to a previous security alert (from July 17) and walked back claims that hackers were exploiting a vulnerability in the Ellucian Banner ERP to target university networks. Readers should be aware that as a result of this update, the information in the article below is now outdated.

TL,DR: Some US universities are running outdated versions of Ellucian Banner. The Department of Education thought hackers were trying to exploit these oudated versions and sent out a security alert, but a more in-depth investigation revealed they were not, and now corrected the original alert.

Original article below.


Hackers have targeted the systems of 62 colleges and universities by exploiting a vulnerability in an enterprise resource planning (ERP) web app, the US Department of Education said in a security alert sent out this week.

The Department of Education told ZDNet that attacks on the 62 colleges failed. However, the department is sending out an alert to warn other potential victims.

The vulnerability hackers exploited is in Ellucian Banner Web Tailor, a module of the Ellucian Banner ERP that lets universities customize their front-facing web applications. The vulnerability also impacts Ellucian Banner Enterprise Identity Services, a module for managing user accounts.

Earlier this year, a security researcher named Joshua Mulliken discovered a vulnerability in the authentication mechanism used by the two modules that can allow remote attackers to hijack victims' web sessions and gain access to their accounts.

Ellucian fixed the vulnerability in May, and a public disclosure was published, by both the researcher and NIST (see CVE-2019-8978).

Vulnerability exploited in the wild

But in a security alert published on Wednesday, the Department of Education said hackers have started actively exploiting this vulnerability.

"The Department has identified 62 colleges or universities that have been affected by exploitation of this vulnerability," officials said.

"We have also recently received information that indicates criminal elements have been actively scanning the internet looking for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation."

Fake accounts used for "criminal activity"

In addition, besides attempts to exploit the Elucian Banner bugs, attackers also "leverage[d] scripts in the admissions or enrollment section of the affected Banner system to create multiple student accounts."

One victim reported that the attackers created thousands of fake accounts over days, with around 600 accounts created during a 24-hour period.

Officials said the accounts were used "almost immediately for criminal activity," but did not provide any details about the nature of the activity.

Since the Ellucian Banner Web Tailor system is connected to the rest of the ERP, department officials said they were concerned that hackers might gain access to students' financial aid data, if any of the attacks were to be successful.

Officials are now urging colleges and universities which use versions of the ERP modules that are vulnerable to apply patches.

Ellucian is also advising the same thing, in a second security alert the company sent out this week, after sending a first one in May. The company also shared additional details about some of the automated attacks.

"Attackers are utilizing bots to submit fraudulent admissions applications and obtain institution email addresses through admission application portals," Ellucian added. "Ellucian recommends adding reCAPTCHA capabilities to the admission process to reduce the likelihood of experiencing fraudulent applications for admissions, even if institutions are not currently experiencing this issue."

Article updated on July 21, 4am ET with comments from Ellucian.

Article updated on July 23 with additional information from the Department of Education clarifying that the security alert is about exploitation attempts and not successful breaches. Article title and some sentences have been updated accordingly.

More data breach coverage: