[hunting cloud network (micro signal:Ilieyun)] reported on July 21 (Compile: AlphaMk)
Hackers are attacking the university network and immediately created a fake account for "criminal activities".
The US Department of Education said in a security alert this week that hackers exploited vulnerabilities in enterprise resource management system (ERP) network applications to attack systems at 62 universities.
The vulnerability exists in a module of Ellucian Banner ERP ——Ellucian Banner Web Tailor, which allows universities to customize their front-end Web applications. The vulnerability also affects the Ellucian Banner Enterprise Identity Services module for managing user accounts.
Earlier this year, a security researcher named Joshua Mulliken discovered a vulnerability in the authentication mechanism used by the two modules —— this vulnerability allows remote attackers to hijack a victim's web session and get access to their account Access rights.
Ellucian fixed the vulnerability in May, and both the researchers and NIST published a public disclosure (see CVE-2019-8978).
But in a security alert released on Wednesday, the Ministry of Education said that hackers have begun to exploit this vulnerability.
Officials said: “The Ministry of Education has identified 62 colleges or universities affected by this vulnerability. ”
“The information we have recently received indicates that criminals have been actively scanning the Internet and are waiting to use this vulnerability to develop a list of targeted college targets and prepare to attack these potential schools. ”
According to the Ministry of Education, the victims of the attack reported that after attacking their system, the hacker “created multiple student accounts using scripts in the enrollment or registration section of the affected Banner system”.
One victim reported that hackers created thousands of fake accounts in a matter of days, with about 600 accounts created within 24 hours.
Officials stated that these accounts were “almost immediately used for criminal activities” but did not provide any details about the nature of these activities.
Since the Ellucian Banner Web Tailor system is connected to the rest of the ERP, department officials said they are concerned that hackers may receive financial aid data from students.
Ministry of Education officials are now urging schools using the ERP module version to download patches.
The same measures were also suggested in the security alert issued by Ellucian. However, the company denied that the creation of fraudulent accounts and recent hacking attacks were related to ERP's flaws.
“Although hackers are said to be able to use the above vulnerabilities to create accounts, Ellucian believes this is not true,” Ellucian said. “Do not consider the issue described in the alert to be related to the previously patched Ellucian Banner System vulnerability, and this issue is not limited to schools that use Ellucian products. ”
Ellucian added: “The hacker is using an automated process to submit a fraudulent admission application and obtain an institutional email address through the admissions portal. Ellucian recommends adding reCAPTCHA functionality during the application process to reduce the likelihood of fraudulent admissions, even if the school has not encountered this problem. ”
In other words, Ellucian believes that the Ministry of Education is using ERP vulnerabilities and trying to compare it with another set of different attacks.
According to Ellucian's official website, its Banner ERP is used by more than 1,400 universities, colleges and other institutions.