CVE-2021-26855

CVE-2021-26857

CVE-2021-26858

CVE-2021-27065

…are wreaking havoc right now. Are your Exchange servers being hit?

Here is a quick SmartLog query using the Hafnium overview from SentinelOne’s blog:

103.77.192.219 or 104.140.114.110 or 104.250.191.110 or 108.61.246.56 or 149.28.14.163 or 157.230.221.198 or 167.99.168.251 or 185.250.151.72 or 192.81.208.169 or 203.160.69.66 or 211.56.98.146 or 5.254.43.18 or 80.92.205.81

Just cut and paste the above addresses into SmartLog to see if you may have been compromised.

At the very least if you have an Exchange server I would expect to see one of these IPs to have probed your server on port 443.

Maybe you have 443 to open on your Exchange server to support OWA (still)? Having OWA behind Check Point’s Mobile Access Blade would have protected you.

Also, if your Check Point IPS signatures were updating automatically you were protected on March 1st.

Hafnium SmartLog Query

One thought on “Hafnium SmartLog Query

  • April 6, 2021 at 1:03 am
    Permalink

    Good stuff. Thx for the logging query.

Leave a Reply

Your email address will not be published. Required fields are marked *

two + 19 =