The U.S. Department of Education (Department) has obtained information regarding the active and ongoing exploitation of a previously identified vulnerability in the Ellucian Banner (Banner) system. The vulnerability only occurs in Ellucian Banner Web Tailor versions 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2, and 8.4.
According to National Institute of Standards and Technology (NIST) advisory CVE-2019-8978, attackers can leverage a known vulnerability in these versions of these applications to log in to the Banner system with an institutional account. Access to operational areas and functions within the system would depend upon the administrative privileges granted to the affected account, but this information does not appear to be specifically detailed in the NIST advisory.
The Department has identified 62 colleges or universities that have been affected by exploitation of this vulnerability. We have also recently received information that indicates criminal elements have been actively scanning the internet looking for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation.
Victimized institutions have indicated that the attackers exploit the vulnerability and then leverage scripts in the admissions or enrollment section of the affected Banner system to create multiple student accounts. It has been reported that at least 600 fake or fraudulent student accounts were created within a 24-hour period, with the activity continuing over multiple days resulting in the creation of thousands of fake student accounts. Some of these accounts appear to be leveraged almost immediately for criminal activity.