+1 855 802 6465    +1 888 483 5723    +61 1300 314 150

Mitigate Potential Impacts of the Sangoma Breach on your FreePBX® Based Systems

Preston McNair

Many ClearlyIP customers and partners use our SIP trunking services, IP phones, and services on FreePBX based systems. We have received many questions over the last week asking about the recent Cyber-Breach at Sangoma Technologies. Because of this, we decided to brush off our cyber security policies and cover some things you can do to mitigate your risk.

On December 23rd, Sangoma, the upstream maintainers of FreePBX, had internal company files published outside their company due to a ransomware attack. Sangoma responded the following day to state that they have a third party auditor reviewing what data may have been breached and recommending that their customers change any Sangoma related passwords. Sangoma also released an update this morning stating that.

“Sangoma has taken immediate action to mitigate and manage the impact of this attack. The Company has retained a deeply experienced team of top third-party cybersecurity experts, is filing a report with law enforcement officials, and has also deployed additional security measures to assist in detecting and preventing any future attempts or incidents of unauthorized access to or malicious activity on its corporate network. The Company has also promptly notified all its employees of the incident, and the possible impact on the security of their data has provided them with actions they can take to protect that personal information from theft and misuse and is putting in place 24 months of credit and dark web monitoring at the Company’s expense.”

A now deleted post on Reddit, by individual(s) stating to be part of the group that hacked Sangoma, states that they have been in contact with Sangoma since October 12th, however this has not been publicly confirmed. No company is immune from cyber-attacks; however, if this breach did occur in October, it is disappointing that the Sangoma Executives chose not to disclose this sooner, allowing the FreePBX Community to take precautions two and a half months sooner. ClearlyIP has over a dozen prior Sangoma employees who have also received NO information concerning their data as of this posting. Regardless of when the compromise occurred, we would like to provide some steps we recommend you take to secure your PBX.

What is a Cyber-Breach?
Cyber breaches often come in the form of ransomware. Hackers exploit internal weaknesses that are usually created by a company’s employees. With social engineering and the widespread use of social media, employees posting personal and professional information online make it much easier for hackers to utilize phishing scams. A credible email with personal details is sent to an employee. After the unsuspecting victim opens the email, the company’s entire network becomes vulnerable to attack.

Below are some of our recommendations on securing and locking down your FreePBX infrastructure and how to mitigate potential threats in the worst-case scenario where hackers may have potentially gained access to the Sangoma FreePBX infrastructure or sell access to other bad actors. We have no details or information released by Sangoma that assures anyone what has or has not happened, so we are all stuck trying to assist and protect our PBXs without knowing the details of what the hackers had access to.

Back-Up Your Systems
The most important tool of all is having good, current, and offline backups. I say offline because, with the rise of cheap online and disk-to-disk backups, many companies neglect to keep copies of their backups offline. Ransomware and cyber thieves can’t touch offline backup if they are appropriately managed in a secure, offline location.

Consider limiting your FreePBX Module Updates to versions before Sangoma Breach.

One of the worst-case scenarios discussed in the forums and by prevalent FreePBX community members is concern for the FreePBX Master Signing Key’s potential to have been leaked during this incident. This key could enable bad actors to modify the FreePBX Commercial Modules code without Sangoma’s Knowledge. There has been NO information that this is the case. However, to help our clients mitigate this risk, we have enabled three new FreePBX Mirror Repositories. The modules provided by this mirror are all pinned to specific modules released before October 13th.

Remove Sangoma Support and other 3rd party SSH Keys from your system and disable Sangoma Support VPN.

If you have utilized Sangoma Support in the past, you likely have utilized the Sangoma SysAdmin Module to enable Secure Shell Authentication for their support staff. You may have also allowed VPN access directly to your PBX from Sangoma. We recommend you disable both.

Verify All Whitelisted IP’s in the FreePBX Firewall

Carefully review and ensure you trust all of the IP’s and Subnets enabled on your PBX.

Change Your Passwords

As the Sangoma press release also recommends, if you have credentials with the Sangoma Portal, Digium Portal, SIPStation, Sangoma Support, FreePBX Wiki, FreePBX Community Forums, we strongly recommend changing your passwords until we know the full exposure from Sangoma’s investigation, and Sangoma discloses more; it is better to be safe than sorry!