Sangoma Ransomware
-
-
That looks to me like a group of software devs that have no idea about what happened... at least according to their responses there.
-
@Obsolesce said in Sangoma Ransomware:
That looks to me like a group of software devs that have no idea about what happened... at least according to their responses there.
What response? There is no response yet, except to say that there is one forthcoming.
-
Pretty minor. Ransomware really doesn't pose any threat to open source. If anything, this is a great example of "haha, automatigically immune to ransomware!" Except for their paid customer list, which doesn't impact clients.
-
@scottalanmiller said in Sangoma Ransomware:
Pretty minor. Ransomware really doesn't pose any threat to open source. If anything, this is a great example of "haha, automatigically immune to ransomware!" Except for their paid customer list, which doesn't impact clients.
It could be that, the ransomware is the only part they noticed so far. Perhaps their systems were infiltrated months ago, monitored, data collected - including secrets, a large number of possibilities there... ending with them finally initializing ransomware.
We do know for a fact lots of data was stolen and made public. Nobody knows what else was done and to what, until the company says something. They still haven't responded.
-
@Obsolesce said in Sangoma Ransomware:
It could be that, the ransomware is the only part they noticed so far.
Sure, but if we do that logic, we can assume that every vendor has been compromised because they've not noticed yet. It's true, if someone has been ransomwared it means that they have been compromised in some way, so more is very possible. But the ability to destroy data or steal data are very different from the ability to get modified code to customers. That's not to say it isn't possible, just that it's a leap that we can't assume. If we can assume it, then we could assume it with anyone and simply say that "since they can't prove something hasn't happened, that might imply that it did." There's no end to that logic.
-
@Obsolesce said in Sangoma Ransomware:
Perhaps their systems were infiltrated months ago, monitored, data collected - including secrets, a large number of possibilities there... ending with them finally initializing ransomware.
We do know for a fact lots of data was stolen and made public. Nobody knows what else was done and to what, until the company says something. They still haven't responded.Sure, but none of that matters to the customers (unless it's customer data being exposed.) As a FreePBX customer, it doesn't mean a darn thing. Doesn't imply anything.
Perhaps Google was infiltrated months ago and just didn't realize it. Maybe you were. Maybe it isn't even you posting by a hacker pretending to be you. It's just not a logical way to approach it, because once you make that leap it means you have to make it for everyone company, everywhere.
-
@scottalanmiller said in Sangoma Ransomware:
the ability to get modified code to customers. That's not to say it isn't possible, just that it's a leap that we can't assume. If we can assume it, then we could assume it with anyone and simply say that "since they can't prove something hasn't happened, that might imply that it did." There's no end to that logic.
I never said anything about modified code, not sure what this is referring to.
-
@scottalanmiller said in Sangoma Ransomware:
Sure, but none of that matters to the customers (unless it's customer data being exposed.)
It certainly looks like at least some customer data was exposed, without any doubt.
-
@Obsolesce said in Sangoma Ransomware:
@scottalanmiller said in Sangoma Ransomware:
the ability to get modified code to customers. That's not to say it isn't possible, just that it's a leap that we can't assume. If we can assume it, then we could assume it with anyone and simply say that "since they can't prove something hasn't happened, that might imply that it did." There's no end to that logic.
I never said anything about modified code, not sure what this is referring to.
That's the only threat that most Sangoma customers care about. That's teh concern.
-
@Obsolesce said in Sangoma Ransomware:
@scottalanmiller said in Sangoma Ransomware:
Sure, but none of that matters to the customers (unless it's customer data being exposed.)
It certainly looks like at least some customer data was exposed, without any doubt.
Oh certainly, and if that's the case that tiny subset of customers should be upset. There are two totally separate concerns here...
- Customers who may have data exposed <- very real issue and a potential reason to worry about doing business with Sangoma (not saying you shouldn't, but it's a moment to evaluate that.)
- FreePBX code impacted. <- No cause for concern but this is the key "panic" that people are promoting to try to make this into a big deal. I don't know anyone that is a Sangoma customer or why much of anyone would be, the kind of stuff that they make isn't stuff for modern businesses. What they make of importance and value is FreePBX, but we have no cause for concern there given what we know.
-
@scottalanmiller said in Sangoma Ransomware:
Perhaps Google was infiltrated months ago and just didn't realize it. Maybe you were. Maybe it isn't even you posting by a hacker pretending to be you. It's just not a logical way to approach it, because once you make that leap it means you have to make it for everyone company, everywhere.
I meant it in this context:
We know for a fact they were hacked, without any doubt.
Meaning, they only know they were hacked because it was the ransomware that made it obvious. Now they need to do a full in-depth investigation, and may learn that it's just the tip of the iceberg.
I was not talking about about it in the way you are saying.
-
@Obsolesce said in Sangoma Ransomware:
We know for a fact they were hacked, without any doubt.
Meaning, they only know they were hacked because it was the ransomware that made it obvious. Now they need to do a full in-depth investigation, and may learn that it's just the tip of the iceberg.Because customer data was released, yes then we know that they were hacked. And certainly, it's reasonable to assume all of their data has been exposed (at least to the hackers) unless they provide some assurance as to why some was protected and some was not (unrelated systems or whatever.)
Yes, I would agree there.
-
@scottalanmiller said in Sangoma Ransomware:
FreePBX code impacted. <- No cause for concern but this is the key "panic" that people are promoting to try to make this into a big deal. I don't know anyone that is a Sangoma customer or why much of anyone would be, the kind of stuff that they make isn't stuff for modern businesses. What they make of importance and value is FreePBX, but we have no cause for concern there given what we know.
Yeah this is unlikely, I agree with you.
Had the attackers managed to get credentials to log in to their GIT system and make changes, I'm sure someone would have noticed directly, or due to alerts. They are a software company, so I'm also sure they have approvals, etc. and all that set up, and it's also unlikely the attackers managed to get all credentials needed to bypass and cover up any source code alterations. Then at the same time, manage to bypass 2FA/MFA or even manage to disable it via some admin credentials. Then also, since it's open source, go unnoticed to the large public community skimming the source code for changes. I doubt they have AD, which makes a compromised AD joined device your golden ticket into the entire domain as domain admin. And it is also likely this was solely a ransomware attack.
-
The concern is not the open source. The concern is closed source.
-
@Obsolesce said in Sangoma Ransomware:
I doubt they have AD, which makes a compromised AD joined device your golden ticket into the entire domain as domain admin. And it is also likely this was solely a ransomware attack.
Oh I bet that they are. Just the nature of being a hardware design and manufacturing firm.
-
@JaredBusch said in Sangoma Ransomware:
The concern is not the open source. The concern is closed source.
Very true. Definitely any closed source from them is very suspect now as there's two risks...
- Attacks now know of security holes that weren't public simply by getting "read access" to the code.
- Compromised are injected because there's no community or repo protection against changes.
-
@scottalanmiller said in Sangoma Ransomware:
- FreePBX code impacted. <- No cause for concern but this is the key "panic" that people are promoting to try to make this into a big deal. I don't know anyone that is a Sangoma customer or why much of anyone would be, the kind of stuff that they make isn't stuff for modern businesses. What they make of importance and value is FreePBX, but we have no cause for concern there given what we know.
Question - do you think that if Sangoma only made revenue off support contracts and the add-on modules they would exist as a company? i.e. if they dropped PBXact, etc - could they likely stay afloat?
-
@Dashrender said in Sangoma Ransomware:
@scottalanmiller said in Sangoma Ransomware:
- FreePBX code impacted. <- No cause for concern but this is the key "panic" that people are promoting to try to make this into a big deal. I don't know anyone that is a Sangoma customer or why much of anyone would be, the kind of stuff that they make isn't stuff for modern businesses. What they make of importance and value is FreePBX, but we have no cause for concern there given what we know.
Question - do you think that if Sangoma only made revenue off support contracts and the add-on modules they would exist as a company? i.e. if they dropped PBXact, etc - could they likely stay afloat?
No, because that is why they bought
FreePBXSchmoozecom and Digium.Sangoma has existed for decades as a hardware company, but that hardware revenue went south years ago.
-
@scottalanmiller said in Sangoma Ransomware:
@JaredBusch said in Sangoma Ransomware:
The concern is not the open source. The concern is closed source.
Very true. Definitely any closed source from them is very suspect now as there's two risks...
- Attacks now know of security holes that weren't public simply by getting "read access" to the code.
- Compromised are injected because there's no community or repo protection against changes.
Also the possibility of compromised cryptography keys, such as those used for SSL connections, that people seem to be concerned about.
I don't use them, so not sure about the true nature of that threat though.