62 Universities Hacked Through Vulnerability in Web App
Hackers were able to create thousands of fake accounts that were used ‘almost immediately for criminal activity,’ officials said.
Hackers were able to breach 62 college and university systems by preying on a vulnerability found in an enterprise resource planning (ERP) web app.
The U.S. Department of Education sent out a security alert last week, reports ZDNET.
“The Department has identified 62 colleges or universities that have been affected by the exploitation of this vulnerability,” officials said.
Hackers discovered vulnerabilities in Banner Web Tailor and Banner Enterprise Identity Services, two products by Ellucian, a software company for higher education management.
“We have also recently received information that indicates criminal elements have been actively scanning the internet looking for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation,” the Department said.
Joshua Mulliken, a security researcher, uncovered the authentication mechanism used by the two modules can allow hackers to hijack victim’s web sessions and gain access to their accounts.
According to the Department of Education, hackers would break into university systems and “leverage scripts in the admissions or enrollment section of the affected Banner system to create multiple student accounts.”
One victim reported the attackers created thousands of fake accounts over several days.
The accounts were used “almost immediately for criminal activity,” officials said, and they were worried hackers would gain access to students’ financial aid information.
Department officials recommend colleges and universities that use versions of the ERP modules to apply patches.
While Ellucian agrees, the company said in a statement that the attacks are not related to its ERP.
“The issue described in the alert is not believed to be related to the previously patched Ellucian Banner System vulnerability and is not exclusive to institutions using Ellucian products,” the statement said. “Ellucian recommends adding reCAPTCHA capabilities to the admission process to reduce the likelihood of experiencing fraudulent applications for admissions, even if institutions are not currently experiencing this issue.”
According to its website, over 1,400 colleges and universities use the Ellucian Banner ERP.