sync: auto-sync from GURU-5070 at 2026-06-02 07:25:49

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-02 07:25:49

.claude/memory/project_dataforth_incident_2026-03-27.md

@@ -0,0 +1,39 @@
+---
+name: Dataforth Security Incident 2026-03-27
+description: DF-JOEL2 compromised via ScreenConnect social engineering. MFA deployed. IC3 filed. C2 IPs blocked. Full remediation completed.
+type: project
+---
+
+[RESOLVED] CA policies enforced 2026-04-04; incident closed.
+
+## Incident
+Joel Lohr's workstation (DF-JOEL2, 192.168.0.143) compromised via phishing email to personal Yahoo account. Attacker "Angel Raya" deployed ScreenConnect C2 backdoors. M365 account also compromised from Turkey/UK/Germany.
+
+## Attacker
+- C2: 80.76.49.18 and 45.88.91.99 (AS399486, Virtuo, Montreal QC) - SUSPENDED by host
+- Cloud relay: instance-wlb9ga-relay.screenconnect.com
+- ConnectWise case: 03464184
+- IC3 complaint: 1c32ade367084be9acd548f23705736f
+
+## Remediation
+- C2 IPs blocked at UDM firewall (iptables - need permanent rules in UniFi UI)
+- 3 rogue ScreenConnect clients uninstalled
+- jlohr AD password reset, M365 sessions revoked
+- 32 machines scanned clean, 28 unreachable (offline)
+- No lateral movement detected
+
+## MFA Rollout
+- 3 CA policies deployed (report-only until April 4, 2026):
+  - Require MFA (skip from office IP 67.206.163.122)
+  - Block foreign sign-ins (US only, MFA-Travel-Bypass group for exceptions)
+  - Block legacy auth
+- 19/38 users MFA-ready, 19 need to register
+- MFA notice sent to all users, deadline April 4
+
+## Joel Lohr
+- Retiring March 31, 2026
+- Auto-reply directs contacts to Dan Center (dcenter@dataforth.com)
+- Account should be disabled after retirement
+
+**Why:** Active security incident requiring immediate response.
+**How to apply:** Monitor CA policies in report-only mode, enforce April 4. Check 28 offline machines when available. Add C2 IPs to permanent UDM block list.