On July 17, the U.S. Department of Education’s Office of Federal Student Aid issued an Electronic Announcement regarding what they deemed an “active and ongoing exploitation” of a known vulnerability potential in some versions of Ellucian’s Banner software. According to FSA’s “Technology Security Alert, the vulnerability affects Ellucian Web Tailor versions 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2, and 8.4. Pointing to advisory bulletin by the National Institute of Standards and Technology (NIST), FSA reported that hackers may be able to breach the system through an institutional account and could then potentially use that access to set up “thousands of student fake student accounts”. The Department says that 62 colleges or universities have been identified which may be affected. Federal Student Aid’s Cyber Incident Team is working with institutions to identify if systems were impacted and to facilitate the necessary fixes. FSA asked institutions using Ellucian Banner to do the following:
- review the vulnerability details as provided in NIST advisory CVE-2019-8978;
- contact Ellucian to receive information needed to patch or upgrade affected systems; and
- respond immediately to the Department via email to both FSASchoolCyberSafety@ed.gov and CPSSAIG@ed.gov.
- Include the following information in your email:
- Institution’s Name
- Information Technology (IT) Contact at Institution (Name, Email Address, Phone Number)
Ellucian has since pushed back on ED’s characterization of the nature of breach and its impact, stating that Banner’s potential software vulnerabilities, which were brought to light by both Ellucian and the National Institute of Standards and Technology in May, are unrelated to some of the other cybersecurity concerns outlined by ED. Ellucian said neither they nor ED have reason to suspect that a breach occurred as a result of the Banner software vulnerability. Schools using the impacted software should implement the system patch issued by Ellucian in May, if they have not already done so.
This is the second summer in a row that ED released a Technology Security Alert. In August of 2018, FSA released a warning about a malicious phishing campaign aimed at student email accounts. Officials cautioned that cybercriminals could change student account information including information such as direct deposit banking information which could be used to funnel student refunds and aid distributions into accounts controlled by the attackers. FSA offered this guidance to institutions:
How to protect IHEs: FSA strongly encourages IHEs to strengthen their cybersecurity posture through the use of two-factor or multi-factor authentication processes. These types of authentication rely on a combination of factors, for example, username and password combined with a PIN or security questions or access through a secure, designated device.
- Name of the institution
- Date the incident occurred (if known)
- Date the incident was discovered
- Copy of the phishing email (if available)
- Extent of the impact (number of students)
- Remediation status (what has been done since discovery)
- Institution point of contact
Suggested remediation steps if an institution falls victim to the attack:
- Temporarily freeze refund requests until the scope of the incident can be known. Note, refunds must still be provided within regulatory guidelines which may require a change in how impacted IHEs issue refunds, e.g. issue paper checks.
- Temporarily disable changes to direct deposits for refunds.
- Block IP addresses observed in institution logs related to the attack.
- Disable campus credentials or passwords for potentially affected students and require password resets.
- Perform additional forensic analysis on server and application logs from recent weeks.
- Notify all students, warning them of active phishing attempts and encourage them to be vigilant and careful about using links and entering personally identifiable information into websites.
UPDATED – On Tuesday August 6, the Department of Education released an updated Technology Security Alert regarding the vulnerability in Banner Web Tailor and Banner Enterprise Identity Services.
The Department dialed back their claims that Banner products were affected and instead point to vulnerabilities in “third-party software” being used as “front-end access points to the Ellucian Banner System and similar administrative tools”. The Department also confirmed what Ellucian has been saying all along – “To date, based on reports from targeted institutions, we have not found any instances where the Ellucian Banner System vulnerability has been exploited or is related to the issues described in the original alert.”
In an emailed statement from Ali Robinson, an Ellucian spokesperson, he said
“Research by the Department has found:
- no instances where the known Banner vulnerability has been exploited or where it is related to the issues described in the original alert.
- an industry-wide issue in which attackers use automation tools to submit fraudulent admission applications in order to obtain new student accounts.
Additionally, I should note that, Ellucian has conducted its own research and monitoring that has produced no evidence of any attempt to attack the known Banner vulnerability.”
The Department is advising institutions to review any third-party front-end applications to ensure that they are not introducing unpatched vulnerabilities, or increasing the risk of potential future issues through automation attacks. The Department recommends that institutions implement human validation checks as part of their front-end portal submission process.