Wildfire is a code name used when an organization is under a cyber attack and all communications may already be compromised. It is a call to action for all parties who are on the "Circuit" to come to the aid of the victim of the attack. We use it at WL/RSAC to encourage all members to provide information and/or assistance to help a fellow member through or after a cyber breach.
Between December 6 – December 7, 2018, an IP address 188.8.131.52, belonging to Cytherian, Burlington, NC, hosted in Peak10, was identified connecting to Wapack Labs owned command and control sinkholes.
184.108.40.206 has been observed checking into multiple Wapack Labs command and control sinkholes, as far back as January 2018, and has appeared infected with both botnet and advanced persistent threat malware, including esfury, carbanak, black energy, and more. While this traffic may be the result of activity other than a malware infection (i.e. research, sandboxing) it is highly suspicious and should be investigated.
For questions or comments regarding this report, please contact the lab directly by at 603-606-1246, or email@example.com.