On approximately August 21, 2021, security researchers, cybersecurity leaders, and eventually the CISA, began voicing concerns about the inevitable threat of LockFile ransomware attacks on a wide variety of ill-informed and unprepared victims. Threat actors had been caught targeting on-premises Microsoft Exchange servers via ProxyShell vulnerabilities. These vulnerabilities have been dubbed, “worse than ProxyLogon”. Patches for these vulnerabilities were made available in April & May, but many servers were still vulnerable. 

That same day, Morphisec Guard, our Zero Trust, Endpoint Protection Platform, successfully detected and prevented the execution of Cobaltstrike beacons, which were delivered via a ProxyShell exploit. Therefore, Morphisec actively protected the exchange servers of our customers.

Below is an example of one of the prevention events:

Cmd execution:

Cobalt C2:

hxxp://at.miyazono[.]tk

Conclusion 

Morphisec demonstrates the vital nature of a strong prevention strategy for servers. It is our hope that more enterprises will move away from faulty detection-centered strategies and move toward preventative, proactive solutions.