Hackers Managed to Breach 62 US Colleges and Universities via ERP Vulnerability

Last updated September 28, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer
image source: ellucian.com

A per the recent report by ZDNet, the US Department of Education has circulated a security alert across 62 colleges and universities in the country that has been breached by hackers. In all cases, the attackers exploited a vulnerability in the Ellucian Banner ERP (Enterprise Resource Planning), and more specifically, a flaw in a user account management module. As a software tool, Ellucian is focused on the education market, so it is widely used in the field, with more than 1,400 educational institutes deploying it at some level.

The particular vulnerability that was exploited was known for almost two months now and was disclosed together with the release of its fixing patch. Carrying the identifier “CVE-2019-8978”, the vulnerability involves a race condition on the Ellucian Banner Web Tailor and the Banner Enterprise Identity Services, in conjunction with the SSO Manager. Even though the problem had been fixed for quite some time now, attackers still found systems that weren’t updated, and so they managed to break in. More specifically, the Department of Education states that they have monitored scanning activities that were meant to pinpoint the vulnerable targets by checking what modules are in use and what their version is.

Once the hackers established their presence in the compromised systems, they created thousands of fake accounts over a short period of just a couple of days. In the first 24 hours alone, they created 600 accounts. By then, they used these newly created accounts to dive into criminal activity almost immediately, but what this activity exactly entails was not clarified by the officials. Since many colleges and universities store the financial details of their students in their ERP systems, there is a great concern that the attackers may have stolen sensitive financial aid information.

All that said, Ellucian believes that the breaches are not a result of the aforementioned flaw, but a vulnerability that underpins a wide range of ERP products and online platforms in general. Ellucian thinks that the attackers are submitting fraudulent admission applications via the associated portals, and automate this process by using bots. This explains a large number of accounts created in such short periods of time. Ellucian recommends the addition of reCAPTCHA systems to the institutions’ Web portals that will help filter out the bots.

Update on August 12: On August 6, the Department of Education (Department) issued an update to its previous security alert (from July 17). To date, the Department has not found any instances where the known Banner vulnerability has been exploited or where it is related to the issues described in the original alert. Additionally, Ellucian has conducted its own research and monitoring that has produced no evidence of any attempt to attack the Banner vulnerability.

Have you received a warning that is relevant to the above story? Share the details with us via the comments beneath, or on our social media portals, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: