Recent Webinar: Building an Adaptive Cyber Resilient Cloud
arrow-white arrow-white Watch now
close

ProxyShell Exchange Exploitation Now Leads To An Increasing Amount Of Cobaltstrike Backdoors

Posted by Morphisec Labs on August 27, 2021

Morphisec Prevents and Detects Cobaltstrike BackdoorsOn approximately August 21, 2021, security researchers, cybersecurity leaders, and eventually the CISA began voicing concerns about the inevitable threat of LockFile ransomware attacks on a wide variety of ill-informed and unprepared victims. Threat actors had been caught targeting on-premise Microsoft Exchange servers via ProxyShell vulnerabilities. These vulnerabilities have been dubbed “worse than ProxyLogon.” Patches for these vulnerabilities were made available in April and May, but many servers were still vulnerable. 

That same day, Morphisec's zero-trust, endpoint protection platform Morphisec Guard successfully detected and prevented the execution of Cobalt Strike beacons delivered via a ProxyShell exploit. Morphisec actively protected the exchange servers of our customers.

Below is an example of one of the prevention events:

ProxyShell

Cmd execution:

cmd

Cobalt C2:

hxxp://at.miyazono[.]tk

Conclusion 

Morphisec demonstrates the vital nature of a strong prevention strategy for servers. We strongly encourage enterprises to augment detection-centered strategies and tools with more preventative, proactive solutions.

LEARN MORE