A server room at the Cisco Systems Poland headquarters in Krakow, Poland on June 6, 2022.
Photo: Beata Zawrzel/NurPhoto via Getty Images

Time to exchange Exchange

Protocol Enterprise

Hello, and welcome to Protocol Enterprise! Today: why another serious security flaw in Microsoft Exchange should have enterprise tech thinking real hard about moving on, how AI researchers are working to make the training process less compute-intensive, and why sovereign clouds might proliferate in the wake of Russia’s invasion of Ukraine.

Exchange bugs are back in season

Even with the big migration to cloud-based email over the past few years, Microsoft Exchange email servers remain a major target for hackers. Now there are a pair of new vulnerabilities that anyone running Exchange on-premises probably should not ignore.

First off, let’s answer the most important question: Is there a patch?

  • As of this writing, there is not. But Microsoft has promised that it’s “working on an accelerated timeline” to provide a fix.
  • Microsoft has also released details on a mitigation that can be used to block the observed attack patterns for the vulnerabilities. The mitigation appears to be effective, meaning that it “should blunt the attack until the patch comes out,” Vulcan Cybers Mike Parkin said in an email.
  • “At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems,” the company said in a blog post.
  • Notably, one of the vulnerabilities could enable remote execution of commands on a compromised server.

The remote code execution vulnerability was dubbed “ProxyNotShell” by researcher Kevin Beaumont, who was among the first to report seeing exploits of the bug.

  • The new Exchange remote code execution flaw (tracked by the identifier CVE-2022-41082) has similarities to last year’s “ProxyShell” vulnerabilities, according to Beaumont and other researchers.
  • A key difference is that ProxyShell allows attackers to bypass authentication for an Exchange server, while ProxyNotShell requires authenticated access for an exploit to succeed.
  • While that makes ProxyNotShell more difficult to use in an attack, doing so is far from impossible.
  • To exploit ProxyNotShell, an attacker could chain together multiple exploits or leverage access to the server in other ways, “neither of which is uncommon,” said Travis Smith, vice president of malware threat research at Qualys, in an email. “Most attackers will use multiple vulnerabilities to their advantage in order to achieve their objective.”
  • The vulnerabilities affect Microsoft Exchange Server 2013, 2016, and 2019, according to Microsoft.

The bottom line is that remote code execution vulnerabilities are no joke: They’re generally considered a serious security risk due to the potential for attackers to take full control of a compromised system. Prominent past examples include the four widely exploited Exchange vulnerabilities disclosed in early 2021, as well as ProxyShell and last December’s critical vulnerability in Apache Log4j logging software, Log4Shell.

  • And if you’ve been in need of a better excuse to ditch self-managed Exchange email servers and move to the cloud version, these hackers just gave you a good one.
— Kyle Alspach (email | twitter)

A MESSAGE FROM WEST MONROE

Digital is an ongoing process, not a destination. West Monroe knows that becoming a digital organization requires a mindset shift that will impact processes and employees at all levels, and that success can be achieved if the organization is aligned toward a clear vision.

Learn more

Try this one simple trick to shrink your AI belly fat

OK, it’s not the latest diet fad, but the quest to lighten the load of AI model building and operation is well underway. A tinyML community has been sprouting up, and now there’s even new math to slim down AI.

Startups such as Deeplite, Neural Magic, and HPC-AI Tech make software that promises to optimize bulky machine learning models and neural networks that are expensive to train and run.

While HPC-AI Tech’s open-source software streamlines and speeds the process of training deep neural networks, Neural Magic is focused on the post-training part.

The company, whose team got its start at MIT, aims to ease deep learning inference, helping models run more efficiently in edge devices. But this isn’t just about mobile gaming or AI for autonomous vehicles.

Neural Magic, which named former Google Cloud and Red Hat chief technology officer Brian Stevens as CEO earlier this year, is attracting interest from retailers that want to run models on CPU servers in store locations.

“You can achieve GPU speeds on commodity CPUs,” Neural Magic’s head of marketing Saša Zelenović told me this week.

Deeplite is all about the edge, too. Its open-source and proprietary software ingests deep neural networks along with the data used to train them, then alters the architectural structures of the models to make them faster.

The idea, said the company’s co-founder and chief product officer, Davis Sawyer, is for hefty models such as computer vision models used for smart parking or in vehicle dashboard cameras to run on low-power hardware.

— Kate Kaye (email | twitter)

Securing the enterprise

In today’s global landscape, cybersecurity threats are something that every business operating on the internet must face, not just enormous tech companies. In this virtual Protocol event on Oct. 4 at 10 a.m. PT, we’ll examine the current best practices for securing both large and small- to medium-sized businesses, providing viewers with a true threat landscape and information they can use to make decisions about the strategy that best supports their business goals.

Protocol Enterprise’s Kyle Alspach will be joined by a great panel of speakers: Andrew Rubin, co-founder and CEO, Illumio; Alex Weinert, vice president and director of identity security, Microsoft; Jameeka Green Aaron, chief information security officer, Auth0; and Devdatta Akhawe, head of security, Figma.

RSVP here.

Where does your data live?

Data residency and security requirements already are increasing the focus on sovereign clouds in Europe for enterprises to keep data in their own countries. And Greg Pavlik, senior vice president and chief technology officer for Oracle Cloud Infrastructure (OCI), expects the political climate in Asia and Eastern Europe to further accelerate demand.

“I expect that we’ll see hundreds of sovereign clouds, to be quite honest with you,” Pavlik told Protocol. “Even independent of the fact that this year globalization seems to have imploded, the European Union was really looking at data sovereignty, privacy, this sort of operational integrity for their intellectual capital. Now with tensions in Asia and Eastern Europe … it just seems that now this idea of having a unique control over the top of the cloud has become a hot, hot topic.”

Oracle this month announced plans to offer two sovereign cloud regions in Spain and Germany next year. The sovereign clouds will run under policies and governance that are set up to protect data residency, security, privacy, and compliance from a regulatory perspective, Pavlik said.

“We’ll have the full replica of all OCI services that are there in existing public regions, and I think we’ve added in capabilities for application services that are specific to the European Union as well,” he said.

While there will continue to be demand for large, multiregion, hyperscale cloud regions, geopolitical forces are changing the cloud landscape, according to Pavlik.

“These kinds of sovereign clouds are going to become more and more the norm from a global perspective,” he said.

— Donna Goodison (email | twitter)

Around the enterprise

SafeGraph, the data broker that came under fire for selling location data about abortion clinic visits to anyone with a credit card, is ending that practice according to Motherboard.

Digital Ocean is restricting the creation of new virtual machines in four of its cloud computing regions around the world, while providing no details about its capacity crunch.

A MESSAGE FROM WEST MONROE

Digital is an ongoing process, not a destination. West Monroe knows that becoming a digital organization requires a mindset shift that will impact processes and employees at all levels, and that success can be achieved if the organization is aligned toward a clear vision.

Learn more

Thanks for reading — see you Monday!

Recent Issues