Last week we were pleasantly surprised to get an email from Oliver, one of CUJO owners from London. He decided to share a problem he encountered recently with his network. It’s a story about unprotected MacBook that might open the whole network to hackers.
Note: The letter was edited for length and clarity.
Hello, CUJO Team!
I just wanted to share my story. Yesterday’s case was a great example how CUJO helps to understand my network perimeter defenses in place and all the risks that might come together with usage of various software on your laptops/PCs.
Before I dive into it, just want to note that I work in the security industry and try to put all the efforts I can to make my home network a safe fortress for my family. Which means I do know how things work and what should be in place to ensure proper cybersecurity hygiene at home.
We all know that there are way more than one smart devices at home and every one of them can introduce a different type of risk. So there definitely might be cases when you just won’t be aware of what’s being used and installed on each of the workstations.
So the thing that caused my suspicious yesterday was this alert received by CUJO on my mobile App:
What this means, in general, is that someone tried to connect/scan or do reconnaissance activity on my home network to identify potentially opened ports. That in many cases might give hacker or criminal better understanding of further exploitation.
So first I did a quick analysis on what that external IP is. As you can see IP is located in Netherlands, doing initial analysis (you can use many different online tools out there to get information on the IP, I used some of I have in my bookmarks):
I also found corresponding information that this IP is related to:
220.127.116.11 CSV List of All Current Tor Server IP Addresses badips.com listed in http list with a score threshold of zero Website spam activity Modsecurity Analyze Logs malicious traffic against this webserver Known Tor nodes
And I could list more things related to this particular IPs. So my further concern was what is the port 39748 mentioned in the alert, what service is listening to it and why the heck it is being opened on one of my MacBooks at home? I was confident that I don’t expose any ports externally (well at least at the time I’ve got the alert).
So I did some analysis on the mentioned MacBook to understand more:
I did a lookup on my cousin’s laptop, which service is responsible for port forwarding externally this port from his MacBook. I found out that this was torrent client ‘uTorrent’ which exposed port 39748 externally, which then was picked up by adverse malicious IP during scanning activity.
So seems like torrent clients has an option (which is set ON by default). Here you can specify whether or not you want the client to allow to do auto port forwarding. It is obviously is a risk if you not aware around that, or don’t want to open any ports externally.
I removed the option and closed the service on MacBook. The open port was gone and was not indicated as open anymore if doing scans from outside my home network. So we definitely can discuss further whether this port is required for the torrent client to function properly or is it normal and expected behavior.
But my point here is different: I am really happy that my CUJO helps me to understand my network and what’s going on it in real time. Those alerts might not always indicate a risk, but in all the cases they provide you an insight what’s happening on your home network, alerts on any suspicious attempts from outside internet and flags potentially malicious behavior within your internal network.
This is exactly what I expected when I bought my CUJO and I am really excited having this smart gadget my network guard a home.
Thanks, CUJO Team – you are doing a great job!
We are so happy hearing stories like this!If you have any stories you’d like to be featured on this blog, let us know!
If you have any stories you’d like to be featured on this blog, let us know!
Write a letter to: email@example.com