Threat actors have been targeting Sangoma FreePBX instances with internet-exposed administrator control panels in attacks involving a new zero-day flaw since August 21, reports BleepingComputer. Ongoing intrusions have prompted the Sangoma FreePBX Security Team to release an emergency EDGE module fix ahead of an official security patch, with users recommended to restrict access to only known trusted hosts via the Firewall module. "The EDGE module fix provided should protect future installations from infection, but it is not a cure for existing systems. The EDGE module fix provided should protect future installations from infection, but it is not a cure for existing systems," said Sangoma Open Source Solutions Advocate Chris Maj. Other indicators of compromise were noted to involve a missing or altered '/etc/freepbx.conf' file, questionable 'modular.php' Apache log entries, suspicious calls to the 9998 extension in Asterisk logs dating back to August 21, and the inclusion of the '/var/www/html/.clean.sh shell script, as well as unwanted 'MariaDB/MySQL' ampuser table entries.
Attacks aimed at vulnerable FreePBX servers ongoing
