April 29, 2017
To: FreePBX and PBXact Users
From: Sangoma Technologies/FreePBX
Subject: Update from Investigation into Prior Security Attack – IMPORTANT Action Recommended
When it comes to your PBX, we understand that security is paramount and that transparency from your partners like Sangoma, is not only the best policy, it’s the only policy. As a result, we are emailing you today to follow-up and share the results of the investigation into a previous incident regarding our sip trunking service that you may have already been notified about. For those of you who do not use our SIPStation SIP trunking service, that notification explained that about a month ago we had one of our trunking servers attacked, resulting in an illegal hacker getting access to some user’s randomly generated SIP Credentials. At the time of that incident, we promptly communicated via email to all of our SIPStation customers about the issue, and worked with them to obtain new SIP credentials. Our investigation into that attack resulted in a suite of new improvements to our platform as outlined in our SIPStation wiki, more specifically the section on notifications and access restrictions.
Through our investigation we were able to track where in our infrastructure the hacker obtained access. Although we have found no trace or evidence of them accessing our customer data, we have been notified of 14 systems that have been affected out of thousands of deployed system. Based on this we have determined that it’s theoretically possible that these unlawful hackers could have gained access to some PBX data and left no trace. Given this possibility we are sending this update to our broader group of PBX users beyond just our SIPStation subscribers. As mentioned, Sangoma’s commitment to you is to always do everything within our ability to secure our network and to be transparent with you about any attacks. We can tell you with absolute certainty is that we retain absolutely no credit card information and exclusively use Authorize.net as our fully PCI compliant and secure provider for all credit card transactions. So none of your payment details could ever be accessed.
What are we at Sangoma Doing About it and What do we Ask of You?
In addition to the SIPStation improvements mentioned above, we are now also taking a few actions to further strengthen security for our PBX customers as well. Firstly, we have chosen to no longer store SSH and Web GUI credentials for your PBX systems in our Portal (portal.sangoma.com). This was previously available as a result of our customers asking for it, so that Sangoma could offer easier and more expedient responses to your requests for technical support, but the security implication to you is no longer worth the potential risk, in our judgment. We hope you agree and understand. All such previously provided data has since been deleted from our systems.
Our records indicate that your organization has one or more deployments where you previously provided Sangoma with either SSH or Web GUI credentials, so that our support team would have easier access to your systems, when you request our help in future support calls. Since it’s theoretically possible, that a hacker may have gained access to a system with those credentials present, it would be prudent of you to make changes to the passwords. We ask you to please do this promptly. To learn more about changing your SSH password, please visit our wiki article on changing your root password.
In addition, we wish to once again reinforce what we always request of you as part of Sangoma’s security policy: Please be sure that you do not leave those ports open to the internet once any interaction with our support team has concluded. And where possible, we recommend that you lock down access to only Sangoma’s support staff IP addresses at the time the information was, or is, provided.
The risks of a hacker gaining access to your system can lead to toll fraud, system sabotage, and theft of any information you may possess on your system such as call logs, voicemails, recordings and contact information.
In closing, we’d like you to know that we value you as a customer. We at Sangoma work hard every day to earn your business and we sincerely apologize for any inconvenience this has caused. As a small token of our appreciation, we are making our Sysadmin Pro module free, with no strings attached for all systems that purchase it via the portal, within the next 14 days. Along with the many features Sysadmin Pro offers, we’d like to highlight the VPN Server which allows setting up your PBX with a secure VPN Server, allowing remote users to connect directly to your PBX without opening numerous ports. The VPN modules supports both telephone users and administrative users. Additionally it provides a simple method for you to allow our support staff to access your system without opening any ports to the Internet. You can find more information about this by visiting the VPN Server page in the Sysadmin section of our wiki.
Finally, we ask for your cooperation in performing the important task requested above for those of you who may be affected, and for your understanding as we work diligently to be transparent and responsive. Should you have any additional questions we ask that you please login to support.sangoma.com and open a Customer Service ticket with us.
On behalf of the entire Sangoma/FreePBX/SIPStation Team,