claudetools/.claude/memory/project_dataforth_incident_2026-03-27.md

name, description, type

name	description	type
Dataforth Security Incident 2026-03-27	DF-JOEL2 compromised via ScreenConnect social engineering. MFA deployed. IC3 filed. C2 IPs blocked. Full remediation completed.	project

Incident

Joel Lohr's workstation (DF-JOEL2, 192.168.0.143) compromised via phishing email to personal Yahoo account. Attacker "Angel Raya" deployed ScreenConnect C2 backdoors. M365 account also compromised from Turkey/UK/Germany.

Attacker

• C2: 80.76.49.18 and 45.88.91.99 (AS399486, Virtuo, Montreal QC) - SUSPENDED by host
• Cloud relay: instance-wlb9ga-relay.screenconnect.com
• ConnectWise case: 03464184
• IC3 complaint: 1c32ade367084be9acd548f23705736f

Remediation

• C2 IPs blocked at UDM firewall (iptables - need permanent rules in UniFi UI)
• 3 rogue ScreenConnect clients uninstalled
• jlohr AD password reset, M365 sessions revoked
• 32 machines scanned clean, 28 unreachable (offline)
• No lateral movement detected

MFA Rollout

• 3 CA policies deployed (report-only until April 4, 2026):
  • Require MFA (skip from office IP 67.206.163.122)
  • Block foreign sign-ins (US only, MFA-Travel-Bypass group for exceptions)
  • Block legacy auth
• 19/38 users MFA-ready, 19 need to register
• MFA notice sent to all users, deadline April 4

Joel Lohr

• Retiring March 31, 2026
• Auto-reply directs contacts to Dan Center (dcenter@dataforth.com)
• Account should be disabled after retirement

Why: Active security incident requiring immediate response. How to apply: Monitor CA policies in report-only mode, enforce April 4. Check 28 offline machines when available. Add C2 IPs to permanent UDM block list.