At least 62 colleges were affected by a software vulnerability in a program called Banner, operated by Ellucian, that allows threat actors to infiltrate colleges’ private records.
The vulnerability, CVE-2019-8978, was reported in May 2019 and allows an attacker to log in to the Banner system with an institutional account and leverage scripts in the admissions or enrollment section of the affected Banner system to create multiple student accounts.
The flaw is caused by an improper authentication vulnerability which allows remote attackers to steal a victim’s session (and cause a denial of service) by repeatedly requesting the initial Banner Web Tailor main page with the IDMSESSID cookie set to the victim’s UDCID.
Federal Student Aid warned that the bug can be exploited through a race condition that occurs and is being actively exploited in Ellucian Banner Web Tailor versions 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2, and 8.4., according to a July 17 Department of Education press release.
In addition, criminals are actively crawling the web scanning for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation.
“It has been reported that at least 600 fake or fraudulent student accounts were created within a 24-hour period, with the activity continuing over multiple days resulting in the creation of thousands of fake student accounts,” the release said. “Some of these accounts appear to be leveraged almost immediately for criminal activity.”
Plixer Vice President of Strategic Relationships Bob Noel, for told SC Media IT and Security teams at higher education institutions are faced with a unique challenge.
“Unlike enterprises that can implement restrictive security policies and lock down access, colleges and universities provide open learning environments for students,” Noel said. “When bad actors are able to gain a foothold, there is greater potential for them to do harm.”
He added that it is essential that these higher education institutions implement network traffic analysis to look at every digital transaction, monitor user behavior for anomalous activity, and deliver accountability.”