chore(memory): consolidate scattered feedback/project/reference files
Compressed memory store 104 -> 71 files via four passes: - Syncro: 19 scattered feedback_syncro_* files merged into 3 rule files (api/billing/workflow) + an on-demand feedback_syncro_history.md for incident detail, quotes, and tech/product ID tables. - Four near-duplicate merges: Howard paste-safety, Pluto build server, Howard backend deferral, IX server access (ssh+tailscale). - Per-cluster rule/state/history split applied to GuruConnect (2->1), Dataforth (3->2), Cascades (7->3), GuruRMM (13->3). - New reference_resource_map.md: single auto-loaded cheatsheet for "do I have access to X and how do I connect from this machine?" - MEMORY.md rewritten to match the new layout. Health: broken backlinks 8->7, overlap clusters 12->5, orphans 17->0.
This commit is contained in:
@@ -1,39 +0,0 @@
|
||||
---
|
||||
name: Dataforth Security Incident 2026-03-27
|
||||
description: DF-JOEL2 compromised via ScreenConnect social engineering. MFA deployed. IC3 filed. C2 IPs blocked. Full remediation completed.
|
||||
type: project
|
||||
---
|
||||
|
||||
[RESOLVED] CA policies enforced 2026-04-04; incident closed.
|
||||
|
||||
## Incident
|
||||
Joel Lohr's workstation (DF-JOEL2, 192.168.0.143) compromised via phishing email to personal Yahoo account. Attacker "Angel Raya" deployed ScreenConnect C2 backdoors. M365 account also compromised from Turkey/UK/Germany.
|
||||
|
||||
## Attacker
|
||||
- C2: 80.76.49.18 and 45.88.91.99 (AS399486, Virtuo, Montreal QC) - SUSPENDED by host
|
||||
- Cloud relay: instance-wlb9ga-relay.screenconnect.com
|
||||
- ConnectWise case: 03464184
|
||||
- IC3 complaint: 1c32ade367084be9acd548f23705736f
|
||||
|
||||
## Remediation
|
||||
- C2 IPs blocked at UDM firewall (iptables - need permanent rules in UniFi UI)
|
||||
- 3 rogue ScreenConnect clients uninstalled
|
||||
- jlohr AD password reset, M365 sessions revoked
|
||||
- 32 machines scanned clean, 28 unreachable (offline)
|
||||
- No lateral movement detected
|
||||
|
||||
## MFA Rollout
|
||||
- 3 CA policies deployed (report-only until April 4, 2026):
|
||||
- Require MFA (skip from office IP 67.206.163.122)
|
||||
- Block foreign sign-ins (US only, MFA-Travel-Bypass group for exceptions)
|
||||
- Block legacy auth
|
||||
- 19/38 users MFA-ready, 19 need to register
|
||||
- MFA notice sent to all users, deadline April 4
|
||||
|
||||
## Joel Lohr
|
||||
- Retiring March 31, 2026
|
||||
- Auto-reply directs contacts to Dan Center (dcenter@dataforth.com)
|
||||
- Account should be disabled after retirement
|
||||
|
||||
**Why:** Active security incident requiring immediate response.
|
||||
**How to apply:** Monitor CA policies in report-only mode, enforce April 4. Check 28 offline machines when available. Add C2 IPs to permanent UDM block list.
|
||||
Reference in New Issue
Block a user