Add AD1 session data, memory entries for datasheet pipeline and security incident

- Imported AD1 Claude session files to clients/dataforth/session-logs/
- Created memory: project_datasheet_pipeline.md (full pipeline architecture)
- Created memory: project_dataforth_incident_2026-03-27.md (security incident + MFA)
- Updated MEMORY.md index
- Updated session log with AD1 pipeline rebuild findings

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
OC-5070
2026-03-27 20:02:36 -07:00
parent 2dd0885b0a
commit 1c72f48e22
17 changed files with 723 additions and 4 deletions

View File

@@ -0,0 +1,37 @@
---
name: Dataforth Security Incident 2026-03-27
description: DF-JOEL2 compromised via ScreenConnect social engineering. MFA deployed. IC3 filed. C2 IPs blocked. Full remediation completed.
type: project
---
## Incident
Joel Lohr's workstation (DF-JOEL2, 192.168.0.143) compromised via phishing email to personal Yahoo account. Attacker "Angel Raya" deployed ScreenConnect C2 backdoors. M365 account also compromised from Turkey/UK/Germany.
## Attacker
- C2: 80.76.49.18 and 45.88.91.99 (AS399486, Virtuo, Montreal QC) - SUSPENDED by host
- Cloud relay: instance-wlb9ga-relay.screenconnect.com
- ConnectWise case: 03464184
- IC3 complaint: 1c32ade367084be9acd548f23705736f
## Remediation
- C2 IPs blocked at UDM firewall (iptables - need permanent rules in UniFi UI)
- 3 rogue ScreenConnect clients uninstalled
- jlohr AD password reset, M365 sessions revoked
- 32 machines scanned clean, 28 unreachable (offline)
- No lateral movement detected
## MFA Rollout
- 3 CA policies deployed (report-only until April 4, 2026):
- Require MFA (skip from office IP 67.206.163.122)
- Block foreign sign-ins (US only, MFA-Travel-Bypass group for exceptions)
- Block legacy auth
- 19/38 users MFA-ready, 19 need to register
- MFA notice sent to all users, deadline April 4
## Joel Lohr
- Retiring March 31, 2026
- Auto-reply directs contacts to Dan Center (dcenter@dataforth.com)
- Account should be disabled after retirement
**Why:** Active security incident requiring immediate response.
**How to apply:** Monitor CA policies in report-only mode, enforce April 4. Check 28 offline machines when available. Add C2 IPs to permanent UDM block list.