Ips:

BLUF: UDM-Pro firewall dropped suspicious internal traffic originating from 192.168.1.33. Device on local network attempted outbound or lateral communication that triggered IPS rules. Investigate 192.168.1.33 immediately for signs of compromise. DETAILS Trigger: Intrusion Prevention System (IPS) fired on UDM-Pro; action taken was DROP — traffic was blocked, not permitted Source IP: 192.168.1.33 — a device on the internal LAN segment; identity of device is unconfirmed at this time Direction: Internal — traffic originated inside the network perimeter, indicating a potentially compromised or misbehaving internal host Threat type: Classified as firewall/IPS event; specific signature, destination IP, destination port, and protocol are not confirmed in available data Single event detected — whether this is isolated or part of a pattern of activity from this host is unknown pending log review IMPACT Scope: Contained to internal network segment at time of detection; firewall action was DROP, meaning the specific traffic was blocked Affected asset: Device at 192.168.1.33 — identity unknown; could be workstation, IoT device, server, or guest device Risk: Internal origin is significant — if host is compromised, lateral movement to other LAN assets is possible regardless of this single block Broader context (unconfirmed relevance): Active threat landscape includes GlassWorm supply chain malware, HazyBeacon C2-over-AWS activity, and NTLMv2 hash theft via Windows Search URI — any of which could produce anomalous internal traffic patterns consistent with this event. No direct link to this event is confirmed. RECOMMENDED ACTIONS Identify 192.168.1.33 — check DHCP leases, ARP tables, or UDM-Pro client list to determine device type and owner immediately Pull full IPS logs from UDM-Pro for this event — capture destination IP, port, protocol, and full signature name before logs rotate Isolate the host — if device identity is confirmed, consider VLAN isolation or port block pending investigation Check for repeat events — query logs for any prior or subsequent traffic from 192.168.1.33 in the last 24–72 hours Run endpoint scan on identified device if accessible — prioritize EDR or AV scan given active supply chain and malware campaigns in current threat environment Do not dismiss as false positive until signature and destination are reviewed — internal-origin IPS drops warrant higher scrutiny than perimeter events SOURCES UDM-Pro IPS Event Log — FW DROP, internal direction, source 192.168.1.33 Threat context: The Hacker News (GlassWorm, HazyBeacon, NTLMv2 vulnerability reporting) ⚠️ Threat context items cited for situational awareness only — no confirmed connection to this event

BLUF: A device at 192.168.1.42 is exhibiting worm behavior consistent with TheMoon malware targeting Linksys routers. The attack was directed at the network gateway (192.168.1.1). The UDM-Pro IPS blocked the attempt. Immediate device isolation and investigation required. DETAILS IPS signature ET WORM TheMoon.linksys.router triggered on UDM-Pro; action taken was block — the attack did not reach the gateway Source device 192.168.1.42 initiated the connection on source port 5432 targeting the gateway at 192.168.1.1 TheMoon is a known worm that exploits vulnerabilities in Linksys (and similar SOHO) routers to propagate, execute unauthorized commands, and enlist devices into proxy botnets Direction logged as inbound to the UDM-Pro’s inspection engine — originating from inside the local network segment No additional context is available on the identity, type, or current state of the device at 192.168.1.42 — nature and extent of compromise on that host is unconfirmed IMPACT Affected: Device at 192.168.1.42 (identity unknown — investigate immediately); network gateway 192.168.1.1 Scope: Contained to local network segment at this time; IPS block prevented gateway exploitation Risk if unmitigated: Successful router compromise could enable traffic interception, DNS hijacking, lateral movement, or enrollment in a proxy botnet Unknown: Whether 192.168.1.42 has made additional outbound or lateral connections not captured by this alert; whether other internal hosts have been targeted RECOMMENDED ACTIONS Isolate 192.168.1.42 immediately — remove from network or apply a block rule at the UDM-Pro until the device is identified and assessed Identify the device — check DHCP leases, ARP tables, and UDM-Pro client lists to determine device type and owner Review IPS/firewall logs for any additional signatures or connections from 192.168.1.42, particularly outbound to known TheMoon C2 infrastructure Check the gateway (192.168.1.1) for signs of tampering — verify firmware integrity, admin credentials, and configuration Scan the network for additional devices exhibiting similar behavior; TheMoon is self-propagating and may have spread from another host Do not reconnect 192.168.1.42 until it has been fully reimaged or confirmed clean SOURCES UDM-Pro IPS Event Log — ET WORM TheMoon.linksys.router 1 Emerging Threats signature database (ET WORM ruleset) TheMoon worm — publicly documented threat (first observed 2014; variants active through present)