If it's about VoIP, SIP or Internet Telephony but it doesn't seem to fit anywhere else, post it here.
User avatar
By WelshPaul
Posts Signature Likes Avatar Topics
#6047
Yesterday, the Conti ransomware gang published over 26 GB of data on their ransomware data leak site that was stolen from Sangoma during the recent cyberattack. This leaked data includes files related to the company's accounting, financials, acquisitions, employee benefits and salary, and legal documents.

Today, Sangoma confirmed that the ransomware attack resulted in a data breach after private and confidential for their company and employees were published online.
Sangoma wrote:MARKHAM, ONTARIO, December 24, 2020 – Sangoma Technologies Corporation (TSXV: STC) (the “Company” or “Sangoma”) announced that, as a result of a ransomware cyber attack on one of the Company’s servers, private and confidential data belonging to the Company was posted online yesterday.

The Company has launched a comprehensive investigation to fully ascertain the extent of this data breach and is working closely with third-party cybersecurity experts to support these efforts.

There is no initial indication that customer accounts were compromised, nor that any Sangoma products or services were affected as a result of this breach. While the investigation is continuing, and out of an abundance of caution, the company recommends that customers change their Sangoma passwords.

“We are committed to using all available measures to secure and protect our data, as well as the data of our customers, partners and employees,” said Bill Wignall, President and CEO of Sangoma. “We are working as quickly as we can to complete our investigation. As this work progresses, we plan to provide updates of factual, accurate information as it becomes available.”

As always, any Sangoma customers who have questions are encouraged to contact Sangoma via their traditional methods or by email to sangoma-security@sangoma.com.
Link to press release: https://www.sangoma.com/press-releases/ ... re-attack/

The above statement doesn't really tell us anything we didn't already know, it's just full of stuff one would expect to hear from a company hit by a ransomware attack. It's a very PR focused statement that Sangoma could have just copied and pasted from any number of other companies that have been hit by this type of attack.

Right now the extent of this breach is unknown and you should take steps to protect your server!

UK VoIP Forums recommends the following:
  1. Change all Sangoma passwords
  2. Change administrative GUI passwords
  3. Change root password
  4. Remove support keys
  5. Disable Automatic Module Updates
Read more about the attack here:
https://community.freepbx.org/t/sangoma ... ware/72203
https://www.reddit.com/r/freepbx/commen ... ansomware/

---- ▼▼▼▼ ---- UPDATE 29/12/2020 ---- ▼▼▼▼ ----

Sangoma Technologies Provides Update Regarding Data Breach
Sangoma wrote:MARKHAM, ONTARIO, December 29, 2020 – Sangoma Technologies Corporation (TSXV: STC), a trusted leader in delivering cloud-based Communications as a Service (“CaaS”) solutions, today provided an update regarding its investigation into the data breach announced on December 24, 2020.

To date, the Company’s investigation has confirmed that the attackers encrypted, copied, and published a significant number of confidential files relating to the Company’s financial information, its corporate development and M&A efforts, certain private employee data, as well as certain customer information and ordering history. While Sangoma’s investigation is still ongoing, there is currently no evidence that the compromised customer information includes bank account or payment card data.

The Company believes strongly that customers’ ability to use Sangoma products and services continues without interruption or issue. To date, the investigation has also uncovered no evidence that any of the Company’s products or services have been impacted by this cyber attack, nor is there any evidence that the code inside Sangoma’s products has been compromised or that the use of the products would create a security risk to a customer’s business. Nevertheless, as announced previously, and out of an abundance of caution, the Company continues to recommend that customers change their Sangoma passwords and that they continue to practice good security hygiene, including limiting remote access to only that which is necessary and monitoring for unauthorized access attempts.

Sangoma has taken immediate action to mitigate and manage the impact of this attack. The Company has retained a deeply experienced team of top third-party cybersecurity experts, is filing a report with law enforcement officials, and has also deployed additional security measures to assist in detecting and preventing any future attempts or incidents of unauthorized access to or malicious activity on its corporate network. The Company has also promptly notified all its employees of the incident and the possible impact on the security of their personal data, has provided them with actions they can take to protect that personal information from theft and misuse, and is putting in place 24 months of credit and dark web monitoring at the Company’s expense.

In addition, as the investigation progresses, the Company will be proactively and directly contacting any specific customers, and other third parties, whose data has been compromised in order to provide further information and appropriate support.

“On behalf of the entire management team and board at Sangoma, I sincerely apologize to our customers, employees, partners and all other stakeholders for the stress and inconvenience caused by this cyber attack. This has admittedly been a challenging time for our Company. We’ve built a strong and trusted reputation with the investor community and while this incident is certainly embarrassing, I’m committed to maintaining full transparency in our reporting of it, and I fully expect to emerge from it stronger than ever,” said Bill Wignall, President and CEO of Sangoma. “We have been working around the clock throughout every day of this holiday period and will continue to do exactly that. At the same time, I want to be completely clear that this incident has had no impact on our corporate strategy or execution. We continue to maintain normal operations, and we remain as focused as ever on building our CaaS cloud-based solutions, winning new subscribers, supporting our valued customers, delivering sustainable growth for our shareholders, generating profitability and cash flow, and executing on the exciting opportunities that exist in our acquisition pipeline.”

Sangoma is committed to providing its stakeholders and the public with further updates of factual and accurate information as it becomes available and appropriate to share in light of the active, ongoing investigations.
Link to press release: https://www.sangoma.com/press-releases/ ... ta-breach/

---- ▼▼▼▼ ---- UPDATE 12/01/2021 ---- ▼▼▼▼ ----

Sangoma Technologies Provides Update on Ransomware Attack, Expects No Material Impact on Sales
Sangoma wrote:MARKHAM, ONTARIO, January 12, 2021 – Sangoma Technologies Corporation (TSXV: STC), a trusted leader in delivering cloud-based Communications as a Service (“CaaS”) solutions, today provided a further update regarding its ongoing investigation into the data breach announced on December 24, 2020.

Sangoma has not experienced any service interruptions or outages as a result of the cyber attack that targeted the Company, and all customers continue to use the full suite of Sangoma’s products and services, normally. In addition to the Company’s own investigation, a highly experienced team of third-party cybersecurity experts has to date, uncovered no indication of security threats related to the cyber attack that could create any additional risk for Sangoma’s customers from using our products, nor any evidence to suggest that any intellectual property has been compromised.

“While this cyber attack has admittedly created a significant amount of work for us, the most important thing I’d like to stress to our investors is that our underlying business has not changed at all and remains strong,” said Bill Wignall, President and CEO of Sangoma. “We continue to receive and process orders normally, our existing customers continue to use our products without interruption, we continue to win new subscribers as usual, we’re still building out our CaaS cloud solutions and there has been no change in our support to our clients. Importantly, we have seen no discernible impact on order flow since December 24, and as a result, we currently do not expect that the cyber attack will have any material impact on sales or on opportunities in our pipeline.”

Mr. Wignall continued: “Our Company remains focused on delivering sustainable growth and profit while executing on the exciting acquisition opportunities in front of us. Of course, we continue to work with urgency to complete our investigation into this incident, and we’ve taken numerous actions to support those whose information was compromised in the resulting data breach. I’m highly confident that Sangoma will emerge from this incident stronger than ever, and I look forward to providing a detailed update when we report our second-quarter results next month.”

As described in the news release of December 29, Sangoma’s investigation has confirmed that the attackers encrypted, copied, and published a significant number of confidential files relating to the Company’s financial information, its corporate development efforts, certain private employee data, as well as some customer information and ordering history. There continues to be no evidence that the compromised customer information includes bank account or payment card data.

Sangoma has taken immediate action to mitigate and manage the impact of this attack. In addition to retaining a team of third-party cybersecurity experts to assist its investigation, the Company has filed a report with law enforcement officials and deployed additional security measures to assist in detecting and preventing any future attempts or incidents of unauthorized access to or malicious activity on its corporate network. Further, the Company has updated its employees regularly regarding the incident and the possible impact on the security of their personal data, has provided them with actions they can take to protect their personal information from misuse, and is rolling out 24 months of credit and dark-web monitoring and identity theft insurance at the Company’s expense. Finally, Sangoma has been in proactive contact with our customers (as well as other third parties whose data was compromised), to provide clear information as well as appropriate support, and will continue to do so.

Mr. Wignall concluded: “I’d like to thank our customers, employees, partners and shareholders for their patience and support throughout this stressful time. We have received inquiries from a few investors seeking an update on the ransomware attack, and we felt this approach would ensure all stakeholders receive the same information, at the same time. Sangoma will remain as responsive as ever and we will continue providing factual, accurate information as it becomes available and appropriate to share, during our ongoing investigation.”
Link to press release: https://www.sangoma.com/press-releases/ ... -on-sales/

Current list of publicly available files:
Attachments:
(1.09 MiB) Downloaded 19 times
(2.21 MiB) Downloaded 18 times
#6049
FreePBX servers are only at risk if the FreePBX master signing keys have been leaked and get into the wrong hands. To date there is nothing to suggest that the FreePBX master signing keys have been leaked/compromised. However, you should implement options 2 & 5 as a precaution.

If the FreePBX master signing keys have been compromised (not saying they have been) then it's possible that a module could be modified to contain malicious code, signed and pushed out as a trusted update in order to inject a payload into Sangoma/FreePBX servers everywhere! :scream:

Chris at Crosstalk Solutions talks more about the hack here:
VoipIT liked this
#6056
*Bleep* @WelshPaul that's not good! 😲

There is a post over on the Freepbx community forum that says there are people online stating to be part of the group that hacked Sangoma confirming that they have been in contact with Sangoma since October 12th and yet Sangoma didn't say a word? Shocking!!!

I can't find the files on the Conti website. Have they been removed?
#6064
They have indeed been removed.

The continews website where the files were made available for download is painfully slow! I successfully downloaded the first file (just over 2GB) but that took me forever (almost 2 days), I doubt anybody got the 2nd file because that one was over 26GB in size. 🤦‍♂️

It's an annoyance that I have experienced many times my…

Yea send me the full PCAP file. You can email it to ad…

Ubiquity has announced a security incident that may hav…

Use the files contained in the zip file to configure th…

Sign up for VIP membership