Cyber Incident Victim: Sangoma Technologies

The incident targeting Asterisk FreePBX systems began with reconnaissance activities between February and July 2018, when an unidentified attacker conducted scans across more than 600 global organizations using the open-source VoIP platform. This initial phase focused on identifying vulnerable systems before abruptly ceasing operations for several months. The campaign resumed in 2019 with a concentrated attack on a U.S.-based engineering firm serving the oil, gas, and chemical sectors. Attackers deployed a custom-built PHP web shell that exploited known vulnerabilities in the Asterisk server, granting full remote control equivalent to physical access to the compromised system. This access enabled the extraction of call metadata—including timestamps, participants, and durations—along with recorded conversations stored on the server when administrators had enabled call recording features for auditing purposes.

The compromise allowed persistent surveillance of communications patterns and content, with attackers demonstrating capability to spoof calls appearing to originate from legitimate numbers within the compromised system. Forensic analysis revealed deliberate obfuscation techniques that prevented attribution of specific calls made or received through the hijacked infrastructure. Check Point researchers documented the campaign’s technical mechanisms during the Virus Bulletin 2019 conference, noting the vulnerability leveraged in the attack had been patched by Asterisk prior to its initial detection. The targeted engineering firm’s server represented a confirmed breach, though the full scope of data exfiltrated remained unclear due to the attacker’s anti-forensic measures. No public disclosure occurred regarding containment actions taken by affected organizations beyond the broader recommendation to maintain patch compliance.