Sangoma Hack / Ransomware

(Preston McNair, ClearlyIP CRO) #81

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

(Preston McNair, ClearlyIP CRO) #82

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

(Reinhard Stindl) #83

Isn’t it standard procedure to disclose only limited information, because the hackers read it too…? Doesn’t it take much more time to find out, what the damage really is?

(TheJames) #84


^^^ this is exactly my fear. I don’t care a WHIT about the phone system. I’m concerned about a jumping off point. Especially for the clients that do have some cross VLAN routing for mobile apps, Xactview, email etc. We’ve since mitigated that possibility, but it was not necessary previously since the PBX is not open to the public in any form (heck, we even have clients that still do not use SIP as their trunks). Until a full 3rd party forensic audit confirming no injected code that firewall is on high alert.


So what is the consensus at this point: Are we trusting module updates or no?

I’m leaning to ‘no’ pending full assurance by Sangoma, but am curious where others are.


Will never happen.

Best they can (and should) do is clarify what they’ve done to audit, followed by the same “no evidence” language they’ve already given. No matter how complete the forensics, there is always a chance they will miss something. I don’t see the attorneys letting them speak in absolutes.

I think some of the expectations here are a little out of line with reality and what any other company has actually done in similar circumstances, but many have been better at managing the news.

But, being a non-distro user, this is pretty much a non-event for us.

(Itzik) #88


I’ll elaborate why yes.

This hack seems to be more of a ransomware than a targeted SolarWinds type of attack. From what we know (at the time of writing this), in the information posted by the hackers as well as what Sangoma published in their statements, it seems like the hackers obtained a ton of Accounting/Financial/Employee information.

How much you don’t want to trust Sangoma, I can assure you that they placed the mirror servers under a magnifying glass as soon as they discovered the hack. How much you are afraid of a SolarWind type of hack, they are even more… And I trust Sangoma that if they have spotted something fishy they would’ve taken down the mirror servers, or included that in the statement.

Additionally, some former developers had mentioned:




The SolarWinds issue was in the supply chain. I don’t know dinkus about the Sangoma supply chain, but it does appear to have changed in the last couple years.

And relying on the opinions of people who used to be part of it but aren’t any longer is not, IMO, a good plan. Nothing against James or Rob at all, just that they aren’t the voice from whom I’d like to have more assurance about the integrity of the code.


Looping back on this.

In the absence of direction from Sangoma we’re not installing any module updates for clients. It’s just too much risk to assume.

(Lorne Gaetz) #91

Update from today, Jan 12, 2021


This post was flagged by the community and is temporarily hidden.

(Jared Busch) #93

This post was flagged by the community and is temporarily hidden.


An alternative fact perhaps ?,(TSX%20VENTURE%3A%20STC).

(Greg Kujawa) #95

What amazing is how with so many possible security layers (e.g. - client antivirus, DNS proxy filtering, hardware firewalls, AI-type security appliances, spam/malware e-mail filtering, etc.) most organizations are still vulnerable to a degree mainly due to the PEBCAK. Be it through social engineering type phone calls, spearphishing, or just flat baiting someone.

I’ve seen a good amount of larger tech companies get dinged, our retail manufacturers and suppliers get hit, and we’ve all seen the fallout from the SolarWinds s$#tshow. Too bad we can’t grant business Internet access based on the merit/demerit system!