The US Department of Education released a security alert for an enterprise resource planning (ERP) web app with vulnerabilities and advised affected organizations to patch immediately. The alert came after 62 higher education institutions were reportedly infiltrated via the websites’ admissions sections, and the attackers hijacked students’ IDs to create fraudulent accounts. The Ellucian Banner Web Tailor module and the Ellucian Banner Enterprise Identity Services module (CVE-2019-8978) have security flaws that were disclosed and patched by the company in May, but a number of colleges and universities are likely running unpatched versions of the software. Ellucian is reportedly working with the department to investigate the attacks.
Security researcher Joshua Mulliken disclosed the vulnerabilities in the authentication mechanisms of both modules that can be accessed during a student’s session (CWE-287). The flaw allowed attackers to steal the student’s session and institutional ID by taking advantage of the race condition in the module in conjunction with the SSO, causing a denial of service (DoS) for the student and malicious actors getting the authentication to create a fake account.
According to the department’s advisory, at least 600 fraudulent accounts were created within 24 hours, with the activity continuing for several days. They also cautioned that the fake accounts were leveraged almost immediately for criminal activities, but gave no further details on the said activities.
The alert cited that organizations using the system might have had insufficient safeguards to separate the ERP systems’ functions related to students’ financial aid data, and recommended that the breached institutions take appropriate security measures to prevent further unauthorized entry and risks. While the company released the patches needed at the same time the technical details of the security flaws were released, the timeline listed in the published disclosure listed that only one university was able to apply the patches prior to the announcement.
Cybercriminals will continue taking advantage of n-day vulnerabilities due to the difficulty of patching entire systems of computer networks and operational software tools. Here are a few best practices to secure systems from exploits:
Establish a patch management policy to strengthen security measures of all hardware and software used in the organization.
Enable multiple authentication mechanisms on websites and servers, especially for site owners who store and manage user data.
For legacy systems, install virtual patches released by security vendors.
IT and security teams can monitor websites, applications, and network activity for suspicious spikes that may be indicative of data exfiltration, unauthorized access, and remote execution of commands.
Users who suspect their credentials were used for malicious activities should monitor their respective accounts for unauthorized transactions and should report the fraudulent transactions to concerned offices and/or companies immediately.