The office of Information for Financial Aid Professionals announced on July 17, 2019, that the Department of Education (Department) was tracking an “active and ongoing exploitation of a previously identified vulnerability in the Ellucian Banner (Banner) system.” Banner is the backbone of information services at many colleges and universities. The company claims that “Ellucian works with more than 2,500 institutions in more than 50 countries … for over 20 million students.”
According to the advisory, Banner’s vulnerability relates to Ellucian Banner Web Tailor versions 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2, and 8.4. Approximately 700 customers have upgraded to Banner version 9, suggesting the size of the Banner 8 population could be very significant.
The advisory explains the use of these known exploits, which some colleges have left uncorrected, have resulted in thousands of fake student accounts, access to financial aid, and use of these accounts to commit other criminal activity:
The Department has identified 62 colleges or universities that have been affected by exploitation of this vulnerability. We have also recently received information that indicates criminal elements have been actively scanning the internet looking for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation.
Victimized institutions have indicated that the attackers exploit the vulnerability and then leverage scripts in the admissions or enrollment section of the affected Banner system to create multiple student accounts. It has been reported that at least 600 fake or fraudulent student accounts were created within a 24-hour period, with the activity continuing over multiple days resulting in the creation of thousands of fake student accounts. Some of these accounts appear to be leveraged almost immediately for criminal activity.
According to National Institute of Standards and Technology (NIST) advisory CVE-2019-8978, attackers can leverage a known vulnerability in these versions of these applications to log in to the Banner system with an institutional account.
This institutional breach is a clear reminder why financial or lack of rigorous oversight at educational institutions can result in significant vulnerability for those schools.