Sota’s parent portal taken down for urgent patching following global cyber attack alerts
Sign up now: Get ST's newsletters delivered to your inbox
The attacks started on July 18, and are specifically targeting school-managed installations, Sota said.
ST PHOTO: CHONG JUN LIANG
Follow topic:
SINGAPORE - The School of the Arts (Sota) took down its parent portal for urgent patching on July 23 after it identified a severe server vulnerability
In a message sent to parents via the Parents Gateway app on the morning of July 23, the school said: “We are taking this critical step in response to an active and severe vulnerability identified in the third-party server infrastructure supporting the portal.
“This vulnerability is currently being actively exploited in a global cyber-attack campaign, which has already compromised organisations worldwide, including government agencies and multinational campaigns.”
The attacks started on July 18, and are specifically targeting school-managed installations, Sota said in its message. The third-party service provider is aware of these reports concerning its server customers, said the school.
“To safeguard our systems and data against this critical threat, we are initiating an immediate and mandatory patching process for all school-managed servers that support our parent portal,” Sota said in the message. “We are working diligently to complete the patching and restore full service as quickly and safely as possible.”
In response to queries from The Straits Times, a Sota spokeswoman said the school has not identified any compromises to its systems.
She said: “The school’s Parent Portal hosted on Microsoft SharePoint has been temporarily disconnected from the internet as a precautionary measure to facilitate patching against potential vulnerabilities, as advised by the Ministry of Education (MOE).”
SharePoint is used by organisations globally for internal document management, data organisation and collaboration. On July 22, the Cyber Security Agency of Singapore (CSA) issued an alert notifying users of SharePoint to update to the latest version of the software.
Administrators are strongly advised to upgrade their on-site SharePoint server with the latest emergency update provided by Microsoft, said CSA.
The vulnerability affects on-premises installations of Microsoft SharePoint Server Subscription Edition. Affected software include Microsoft SharePoint Server 2019 and Microsoft SharePoint Server 2016. SharePoint 2010 and 2013 may also be affected by the vulnerabilities, said CSA in its notice.
“For SharePoint servers that do not currently have a patch or are unable to apply them immediately, Microsoft recommends that customers install the latest SharePoint security updates, enable Microsoft AntiMalware Scan Interface integration in SharePoint, and deploy Defender AV on all SharePoint servers,” said CSA.
A spokesperson for CSA and the Government Technology Agency (GovTech) told ST that the agencies have contacted and advised all critical sectors using vulnerable versions of SharePoint to update their servers.
“CSA and GovTech are working with sectors to analyse the impact,” said the spokesperson. “We urge organisations to take immediate steps to apply the patches. They can refer to CSA’s advisory for details.”
MOE has also advised schools to promptly update their school-managed installations to guard against vulnerabilities in SharePoint servers, said a ministry spokesman. He added that there has been no evidence of compromise to date.
The US National Nuclear Security Administration was among those breached in the attack on the SharePoint software
In an updated advisory published July 24 on its website, CSA said threat actors are still able to exploit patched servers if additional mitigation measures have not been applied, adding that patching alone is not sufficient if the server has already been compromised.
The agency advised affected organisations to adopt the detailed response steps outlined in its advisory
At least one of those responsible for the cyber attack is a “China-nexus threat actor”, said cyber-security expert Charles Carmakal in a LinkedIn post on July 21.
“It’s critical to understand that multiple actors are now actively exploiting this vulnerability,” said the chief technology officer of Google-owned Mandiant Consulting.
“We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well.”
The SharePoint vulnerability allows attackers to execute code remotely, said Mr Vladimir Kalugin, operational director of cyber-security firm Group-IB’s unified products. “This means that all resources within the impacted component are divulged to the attackers, allowing them to modify any or all files secured by that component,” he said.
“Since SharePoint is used for content management and file sharing, exploitation of this vulnerability may affect files that are being shared inside this platform.”
He added that attackers may also upload malicious code or scripts, which could potentially allow them to use the compromised server to launch further attacks on other organisations.
“Microsoft is preparing and fully testing a comprehensive update to address this vulnerability,” Mr Kalugin noted.
