--- name: Dataforth incident history — 2026-03-27 DF-JOEL2 compromise description: Detail and remediation log for the 2026-03-27 Dataforth security incident — DF-JOEL2 compromised via ScreenConnect social-engineering, attacker C2 IPs and case numbers, the MFA / CA rollout that came out of it, Joel Lohr retirement handling. RESOLVED 2026-04-04 when CA policies enforced. type: project --- Incident archive backing [[project_dataforth]]. Read on-demand when discussing post-incident posture, IPs, IC3 case, or the MFA rollout origin story. ## Incident — 2026-03-27 (RESOLVED 2026-04-04) Joel Lohr's workstation (**DF-JOEL2**, 192.168.0.143) compromised via a phishing email to a personal Yahoo account. Attacker (alias "Angel Raya") deployed ScreenConnect C2 backdoors. M365 account also compromised — sign-ins from Turkey/UK/Germany. ## Attacker - **C2 IPs:** `80.76.49.18`, `45.88.91.99` (AS399486, Virtuo, Montreal QC) — SUSPENDED by host. - **Cloud relay:** `instance-wlb9ga-relay.screenconnect.com` - **ConnectWise case:** `03464184` - **IC3 complaint:** `1c32ade367084be9acd548f23705736f` ## Remediation - C2 IPs blocked at UDM firewall via `iptables`. **Outstanding:** add permanent rules in the UniFi UI (still on iptables-only as of incident close). - 3 rogue ScreenConnect clients uninstalled. - `jlohr` AD password reset; M365 sessions revoked. - 32 machines scanned clean, 28 unreachable (offline at scan time — check when available). - No lateral movement detected. ## MFA rollout (born from this incident) - 3 CA policies deployed report-only first, then enforced 2026-04-04: - Require MFA (skip from office IP `67.206.163.122`) - Block foreign sign-ins (US only; `MFA-Travel-Bypass` group for exceptions) - Block legacy auth - Notice sent to all users with the 2026-04-04 deadline. - 19/38 users were MFA-ready at policy go-live; 19 had pending registration. ## Joel Lohr - Retired 2026-03-31. - Auto-reply directs contacts to Dan Center (`dcenter@dataforth.com`). - Account to be disabled after retirement (verify status). ## Open items - Permanent UDM block rules for C2 IPs (currently only iptables, not in UniFi UI). - 28 machines that were offline at the post-incident scan — re-scan when reachable.