What kind of malicious actions can cybercriminals perform if they get access to PeopleSoft via one or another vulnerability? The CIA well-known triad (Confidentiality, Integrity, and Availability) is used to manage cybersecurity. As for ERP Systems, these terms transform into Espionage, Sabotage, and Fraud, which are considered as the main risks.
PeopleSoft Campus Solutions is a comprehensive suite for Universities. The application consists of a number of functional modules:
- Academic Advisement
- Campus Community
- Recruiting and Admissions
- Contributor Relations
- Financial Aid
- Recruiting and Admissions
- Student Financials
- Student Records
Each module can be advantageous to attackers.
A perpetrator can exploit one of the vulnerabilities, e.g. PeopleSoft Jolt Vulnerability in Oracle Tuxedo, and get full access to PeopleSoft system. What can be done next? We will consider PeopleSoft Campus Solutions through Espionage, Sabotage, and Fraud triad to find out it.
Let’s look at potential attack vectors and closer examples.
What exactly can a malefactor obtain?
- Financial information (e.g. Financial reports, Financial Aid, Student Financial details, student budgets)
- Contributor Relations data (e.g. strategic and cultivation activity plans, Contributor Relations Reports)
- Student data (e.g. contacts, personal records, credit cards, and other sensitive info)
- Information about recruiters (e.g. their role, the types of students they work with, the regions they serve)
Examples of espionage
Let’s see some examples what a malicious person can get in PeopleSoft Campus Solutions:
- Student Budget Summary page (STDNT_BUDGET_SUMM Definition Name, navigation – Financial Aid, Budgets, View Student Budget Summary, Student Budget Summary):
- Award Activity page (STDNT_AWRD_ACTV Definition Name, navigation – Financial Aid, Awards, View Award Activity, Award Activity):
- Student’s originated loans for a selected aid year in Origination Student Summary page (LOAN_ORIG_SUMM Definition Name, navigation – Financial Aid, Loans, View Originated Loans, Origination Student Summary):
There are several categories on the basis of what an attack can focus on:
- Academic requirements (e.g. increase or decrease the requirements)
- Process (e.g. significant reduction of service and deliverability)
- Students (e.g. mass admitment to students or delayed awards disbursed)
- Finances (e.g. tampering with financial reports, manipulation of credit and financial aid limits)
- Reputation (e.g. official websites, technical support service, students compliance violations)
- Data (e.g. destruction or encryption of critical data about students, applicants, education strategy etc.)
Examples of sabotage
An attacker can change academic requirements using Pages to Set Up Academic Requirements in Define Academic Requirements component (ACADEMIC_REQUIREMENTS Definition Name). In this case, no one of students can satisfy them in order to graduate or, on the contrary, everyone can graduate.
Fraud deals with:
- Financial aid fraud (e.g. falsification of financial aid data to spend more money when it’s not required)
- Grade fraud (e.g. change student grades)
- Recruiting and Admissions fraud (e.g. admit applicant as a student)
- Student financial fraud (e.g. reduction in tuition fees)
- Financial Reports embezzlement (e.g. tampering tuition price)
Examples of fraud
Let’s look at specific examples in more details.
Suppose a student wants to save money and looks forward to a grant to pay for a tuition. Then he or she can use Financial Aid. For example,a perpetrator gets creds with administration roles, login and disburse financial aid manually for himself or herself. Here Disburse Aid (STDNT_DISB_PROCESS Definition Name) or Disburse Aid with Override (STDNT_DISB_PROC_WO Definition Name) pages can be used:
You can’t defend your business if you don’t know what threats are coming your way. So, I hope, this article helped and shed light on the various risks associated with Espionage, Sabotage, and Fraud attacks on PeopleSoft Campus Solutions. We recommend you to apply the latest patches for Peoplesoft or at least one that closes JoltandBleed vulnerability and also quarterly check the latest patches for Oracle Applications. Subscribe to our newsletter and follow us on Twitter and you will be able to get the recent information about each CPU update published by Oracle.
This is a Security Bloggers Network syndicated blog post authored by Research Team. Read the original post at: Blog – ERPScan