Sangoma Hack / Ransomware


If one already has mitigation measures set up and ready to deploy, I.E. monitoring aberrant calling patterns and untoward calling, pulling the plug on when such behavior is recognized, I’m at a loss as to what other measures further than removing temporarily any possibly complomised ssh keys would be or indeed how they would help mitigate the situation.

(Rob Thomas) #22

As the person who WROTE that tool, no. I am not unaware of the Ken Thompson Hack but it would be incredibly unlikely.

(Moussa) #23

I have few few updates to apply, is it safe to do so? (also I did some last week)

  • Contact Manager will be upgraded to online version
  • FreePBX Framework will be upgraded to online version
  • System Admin will be upgraded to online version
  • User Control Panel will be upgraded to online version

(TheJames) #24

More than likely you’re fine. That said there has been no official response so we don’t know the full scope of what is or isn’t safe. Unfortunately it’s 5:00 somewhere and a holiday so who knows if we will see anything before Monday

(Richard Smith) #25

I wonder when the comment Lorne mentioned 8hrs ago is coming? Also when did this hack actually take place, have they known about this longer than today?


FWIW, the Last-Modified header on part1.txt is Sat, 19 Dec 2020 16:51:41 GMT.

Of course, the timestamp might have been spoofed, or the victims not promptly notified.


Lorne, what’s going on? No word here, and my official ticket hasn’t been updated. Silence in this case is REALLY poor form. We need to know ASAP what’s up.

(Rob Thomas) #28

The process in these sort of things is that the company gets Cryptolocked, and are told to pay $x or their data will be released in a period of time, and if they don’t pay by then, the price goes up.

The first period is normally 90 days or so.

(Jared Busch) #29

No, actually it is not. It is legal protection. No one is going to say anything until it is legally signed off on.

(Jared Busch) #30

You need to get over yourself. You have full control over the ability of anything to affect you anytime soon.

The Sangoma SSH key package should not be installed on your system unless you are actively engaged with support. This should have already been in place. If you were actively engaged with support, and have the package installed, you can simply uninstall it and work through things on the phone instead of letting them remote in.

As for anything else with the code, you can simply not update anything.

(TheJames) #31

They have released more data btw. The co cern isn’t the original breach but the data that is released. Which part leads to my identity theft. Do they have my employment docs with my kids ssn. As a former employee and shareholder I care a lot more than I do as a user


Oh Jared. No need to get odious. Tell the agencies that have Orion that they had “full control”.

  1. We were told there would be a formal comment. If if it’s “no comment yet, we’re investigating.” that’s still communication.
  2. I’m not at all worried about the SSH keys. If you actually read the thread, I’m worried about code injection on the commercial modules, as are others. If this breach happened this morning, then fine we don’t update. If it happened a week ago, what then? You clearly need some more understanding of the potential breaches before you offer advice.
  3. Have you seen the files yet? It’s a disaster.
  4. It’s my job to be concerned about this for clients. I’d be complicit otherwise.


Oh that sucks. I’m sorry to hear that.

(Jared Busch) #34

This is why no one needs to take anything you say seriously.

Ransomware and Orion are completely different things.

Edit: I am far from odious at this point.


We don’t know what we don’t know. If this is out there, and Sangoma didn’t disclose, and were surprised when I brought it up, I have to assume there was no SEIM nor forensics done. This is the perfect vector for access to hundreds of thousands of systems. I hope I’m wrong, and it was a drive by. Until then, I’m assuming the worst.

(David) #36

I’m not sure anyone in this thread actually knows what has happened yet. With zero comment from Sangoma everything is speculation.

Someone may have there files, they may also only have have a directory listing, or they may have access or control of backend systems. The later is highly unlikely… but without offical statements, all we have is speculation.

Yes, Sangoma need to consider legal elements of anything they say - and to this I think we need to take comfort in the post above from Lorne - although I’m disappointed, but not surprised in the lack of any formal response from them.


There are files. That’s been confirmed.

(Lorne Gaetz) #38

Press release from a short while ago


Thanks Lorne for the update. Is there a timeline yet? That’s still a critical piece missing.

(Lorne Gaetz) #40

I will update this thread with info as soon as I know it.