{
	"id": "ddb95076-04ee-46ce-a66e-3c38d61ef072",
	"created_at": "2026-04-06T00:12:31.856241Z",
	"updated_at": "2026-04-10T03:35:48.566216Z",
	"deleted_at": null,
	"sha1_hash": "f770dcf06841a873e1fced9090b303c7cae5e67f",
	"title": "Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1406516,
	"plain_text": "Imperva Observes Hive of Activity Following Hafnium Microsoft\r\nExchange Disclosures\r\nBy Daniel Johnston\r\nPublished: 2021-03-26 · Archived: 2026-04-05 22:41:35 UTC\r\nMar 26, 2021 4 min read\r\nIntroduction\r\nOn 2 March 2021, Microsoft and Veloxity produced disclosures outlining the discovery of four zero day\r\nvulnerabilities affecting multiple versions of Microsoft Exchange Server. Each of the vulnerabilities have been\r\nattributed a severity rating from high to critical, however the most impactful statement from both Microsoft and\r\nVeloxity was that these vulnerabilities formed an attack chain which was being actively exploited in the wild.\r\nSince the publication of these disclosures, details have emerged regarding the observed source of the exploitation\r\nof these vulnerabilities. The attacks are being widely attributed to the state-sponsored group dubbed Hafnium,\r\nalleged to be operating out of China.\r\nThe most notable of the new CVEs, CVE-2021-26855, is a SSRF vulnerability in Microsoft Exchange which\r\nallows an attacker to induce the server into performing “unintended actions” through the use of a series of\r\nhttps://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/\r\nPage 1 of 6\n\nspecially crafted POST requests. The attacker can leverage this vulnerability to exploit the other CVEs to perform\r\nmalicious actions, such as dump private email, or even achieve remote code execution.\r\nImperva has put dedicated security rules in place to protect our customers in a direct response to the initial\r\ndisclosures. Imperva has also performed analysis on the attempted exploitation of these CVEs and we have\r\nproduced the following insights.\r\nObservations and Statistics\r\nSince the 2 March disclosures, Imperva has observed over 44k scanning and exploitation attempt sessions in the\r\nwild from over 1,600 unique source IPs, related to the Microsoft Exchange CVE-2021-26855 SSRF. From this\r\ndata, we have been able to identify the most targeted industries and countries which have been affected by the\r\nvulnerability in the aftermath of the disclosures.\r\nTargeted Industries\r\nOne of the key observations we have made is that this vulnerability has impacted almost every category of\r\nindustry, this observation is explained by how ubiquitous the use of Microsoft Exchange is across all sectors.\r\nAccording to our data, the Computing \u0026 IT sector was the most targeted industry, with 21% of all targeted sites\r\nbelonging to this category. Next was Financial Services with 18%, and Telecoms and ISPs completed the top 3\r\nwith 10.5%. Below we show the breakdown of scanning and exploitation attempts against various industries.\r\nTargeted Countries\r\nImperva observed both scanning and exploitation attempts against sites worldwide, with the US being the most\r\ntargeted country, with the UK and Singapore a distant second and third, respectively.\r\nhttps://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/\r\nPage 2 of 6\n\nSource Countries\r\nImperva observed that since the disclosures, relatively few scanning and exploitation attempts have been made\r\nfrom Chinese sources. This could be because exploitation, and to a greater extent, scanning has shifted to the\r\nwider public. It may also be because the attackers are using proxies to carry out the attacks. The chart below\r\nshows the top attacking countries by session count observed by Imperva analysts since the disclosures.\r\nAttacker IP Reputation\r\nImperva’s IP reputation allows for the identification of potentially suspicious or malicious behaviour by means of\r\ntagging relevant IPs. From this data, 42.3% of the attacker source IPs were previously tagged by Imperva as\r\nhaving exhibited malicious behaviour and 8.45% of the attacker source IPs were previously tagged by Imperva as\r\nbeing identified as vulnerability scanners.\r\nhttps://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/\r\nPage 3 of 6\n\nObserved Attacker Activity\r\nImperva analysts have observed various indicators of the attempted exploitation of the Microsoft Exchange\r\nHafnium CVE-2021-26855 in the wild, indicating various motives on the part of the attackers. As mentioned\r\npreviously, an attacker can leverage the vulnerability to perform various unauthorized actions, including the\r\ncollection of private information, and even the writing of arbitrary files to the server resulting in remote code\r\nexecution. In this section, we will discuss some of the requests we have observed and the perceived intentions and\r\nmotivation of the attackers.\r\nDetailed descriptions of how the exploit chain works, and how it can be exploited are available at various different\r\nsources [1][2], however the important thing to understand is that the vulnerability allows an attacker to send\r\nmalicious requests to various backend components in Microsoft Exchange by means of a specially crafted POST\r\nrequest to either the Outlook Web Application or the Exchange Admin Centre, where the “X-BEResource” and\r\n“X-AnonResource-Backend” cookie values can be manipulated to specify the targeted resource. In our\r\ninvestigation following the disclosures we have observed the following in our data.\r\nCrafted requests to /EWS/Exchange.asmx\r\nA common exploit request observed by Imperva attempting to exploit the CVE-2021-26855 SSRF vulnerability\r\nwas a POST request to Exchange Admin Centre (/ecp/) and Outlook Web Application endpoints (/owa/) endpoint,\r\nwith the crafted cookie value endpoints set to the Exchange Web Services endpoint “/EWS/Exchange.asmx”. This\r\nallows the attacker to gain authenticated access to private mail on the server. This request accounted for 18% of\r\nexploitation attempts observed.\r\nCrafted requests to /autodiscover/autodiscover.xml\r\nhttps://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/\r\nPage 4 of 6\n\nThe most common exploitation attempt of the SSRF observed by Imperva analysts were requests to the Exchange\r\nAdmin Centre endpoint (/ecp), with the vulnerabile cookie set with the FQDN of the server, and the endpoint of\r\n/autodiscover/autodiscover.xml.\r\nAutodiscover in Exchange is a service which allows for the rapid collection of Exchange configurations, service\r\nURLs and supported protocols, therefore it makes an obvious target for attackers who are attempting to quickly\r\ngather information, escalate privileges and maintain persistence. In the case of this vulnerability the autodiscover\r\nservice could be used to gather the information required for further exploitation of the other CVEs associated with\r\nthe chain. This request accounted for 51% of exploitation attempts observed.\r\nCrafted requests to /mapi/emsmdb\r\nAnother pattern Imperva analysts observed were crafted POST requests to the Exchange Admin Centre (/ecp),\r\nwith the cookie value crafted with the /mapi/emsmdb endpoint.\r\nResearch into the published exploits and disclosures indicate that the “/mapi/emsmdb” endpoint can be abused to\r\nprocure a valid SID, which can then allow the attacker to gain privileges to the Exchange “proxyLogin.ecp”\r\nendpoint (Exchange HTTP proxy), which can in turn be used to obtain a valid “ASP.NET_SessionID” and\r\n“msExchEcpCanary” values which are required for further chained exploitation of MS exchange. This request\r\naccounted for 3% of exploitation attempts observed.\r\nhttps://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/\r\nPage 5 of 6\n\nHow Imperva protects you\r\nImperva has implemented rules in Cloud WAF and On Prem WAF, which are effective against all exploitation of\r\nCVE-2021-26855. These rules are also effective against the chained exploitation of the subsequent CVEs: CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.\r\nCheck if you have been compromised\r\nSince the disclosures of these zero day vulnerabilities, various news articles have been published reporting mass\r\nexploitation [1][2]. We recommend that if you have unpatched exchange servers in your organization, you apply\r\nthe latest patches from Microsoft as soon as possible, and use the following guide from Microsoft to check for any\r\nindicators of compromise.\r\nTry Imperva for Free\r\nProtect your business for 30 days on Imperva.\r\nStart Now\r\nSource: https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/\r\nhttps://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/"
	],
	"report_names": [
		"imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures"
	],
	"threat_actors": [
		{
			"id": "7c969685-459b-4c93-a788-74108eab6f47",
			"created_at": "2023-01-06T13:46:39.189751Z",
			"updated_at": "2026-04-10T02:00:03.241102Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"Red Dev 13",
				"Silk Typhoon",
				"MURKY PANDA",
				"ATK233",
				"G0125",
				"Operation Exchange Marauder"
			],
			"source_name": "MISPGALAXY:HAFNIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2704d770-43b4-4bc4-8a5a-05df87416848",
			"created_at": "2022-10-25T15:50:23.306305Z",
			"updated_at": "2026-04-10T02:00:05.296581Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"HAFNIUM",
				"Operation Exchange Marauder",
				"Silk Typhoon"
			],
			"source_name": "MITRE:HAFNIUM",
			"tools": [
				"Tarrask",
				"ASPXSpy",
				"Impacket",
				"PsExec",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "529c1ae9-4579-4245-86a6-20f4563a695d",
			"created_at": "2022-10-25T16:07:23.702006Z",
			"updated_at": "2026-04-10T02:00:04.71708Z",
			"deleted_at": null,
			"main_name": "Hafnium",
			"aliases": [
				"G0125",
				"Murky Panda",
				"Red Dev 13",
				"Silk Typhoon"
			],
			"source_name": "ETDA:Hafnium",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434351,
	"ts_updated_at": 1775792148,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f770dcf06841a873e1fced9090b303c7cae5e67f.pdf",
		"text": "https://archive.orkl.eu/f770dcf06841a873e1fced9090b303c7cae5e67f.txt",
		"img": "https://archive.orkl.eu/f770dcf06841a873e1fced9090b303c7cae5e67f.jpg"
	}
}