azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(memory): consolidate scattered feedback/project/reference files

Browse Source 
Compressed memory store 104 -> 71 files via four passes:

- Syncro: 19 scattered feedback_syncro_* files merged into 3 rule files
  (api/billing/workflow) + an on-demand feedback_syncro_history.md for
  incident detail, quotes, and tech/product ID tables.
- Four near-duplicate merges: Howard paste-safety, Pluto build server,
  Howard backend deferral, IX server access (ssh+tailscale).
- Per-cluster rule/state/history split applied to GuruConnect (2->1),
  Dataforth (3->2), Cascades (7->3), GuruRMM (13->3).
- New reference_resource_map.md: single auto-loaded cheatsheet for
  "do I have access to X and how do I connect from this machine?"
- MEMORY.md rewritten to match the new layout.

Health: broken backlinks 8->7, overlap clusters 12->5, orphans 17->0.
This commit is contained in:
Mike Swanson
2026-06-01 16:25:45 -07:00
parent 2a1ccfac73
commit 0c000109dc
75 changed files with 1473 additions and 1324 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
.claude/memory/project_dataforth_history.md Normal file
View File

@@ -0,0 +1,46 @@
---
name: Dataforth incident history — 2026-03-27 DF-JOEL2 compromise
description: Detail and remediation log for the 2026-03-27 Dataforth security incident — DF-JOEL2 compromised via ScreenConnect social-engineering, attacker C2 IPs and case numbers, the MFA / CA rollout that came out of it, Joel Lohr retirement handling. RESOLVED 2026-04-04 when CA policies enforced.
type: project
---
Incident archive backing [[project_dataforth]]. Read on-demand when discussing post-incident posture, IPs, IC3 case, or the MFA rollout origin story.
## Incident — 2026-03-27 (RESOLVED 2026-04-04)
Joel Lohr's workstation (**DF-JOEL2**, 192.168.0.143) compromised via a phishing email to a personal Yahoo account. Attacker (alias "Angel Raya") deployed ScreenConnect C2 backdoors. M365 account also compromised — sign-ins from Turkey/UK/Germany.
## Attacker
- **C2 IPs:** `80.76.49.18`, `45.88.91.99` (AS399486, Virtuo, Montreal QC) — SUSPENDED by host.
- **Cloud relay:** `instance-wlb9ga-relay.screenconnect.com`
- **ConnectWise case:** `03464184`
- **IC3 complaint:** `1c32ade367084be9acd548f23705736f`
## Remediation
- C2 IPs blocked at UDM firewall via `iptables`. **Outstanding:** add permanent rules in the UniFi UI (still on iptables-only as of incident close).
- 3 rogue ScreenConnect clients uninstalled.
- `jlohr` AD password reset; M365 sessions revoked.
- 32 machines scanned clean, 28 unreachable (offline at scan time — check when available).
- No lateral movement detected.
## MFA rollout (born from this incident)
- 3 CA policies deployed report-only first, then enforced 2026-04-04:
- Require MFA (skip from office IP `67.206.163.122`)
- Block foreign sign-ins (US only; `MFA-Travel-Bypass` group for exceptions)
- Block legacy auth
- Notice sent to all users with the 2026-04-04 deadline.
- 19/38 users were MFA-ready at policy go-live; 19 had pending registration.
## Joel Lohr
- Retired 2026-03-31.
- Auto-reply directs contacts to Dan Center (`dcenter@dataforth.com`).
- Account to be disabled after retirement (verify status).
## Open items
- Permanent UDM block rules for C2 IPs (currently only iptables, not in UniFi UI).
- 28 machines that were offline at the post-incident scan — re-scan when reachable.