The Republican Governors Association Servers Hit In Data Breach

The Republican Governors Association (RGA) revealed that they were victims of a data breach in notification letters sent last week to members. The data breach occurred during an extension Microsoft Exchange hacking campaign that hit organizations worldwide this year, an incident that uses what is now known as the ProxyLogon exploits.

RGA is a US political organization that providers Republican candidates with the campaign resources needed to get elected as governors across the country.

Following an investigation into a possible data breach which began in March, “RGA determined that the threat actors accessed a small portion of RGA’s email environment between February 2021 and March 2021 and that personal information may have been accessible to the threat actor(s) as a result.”

Though initially, the RGA stated they were not able to discover if any personal information was taken in the data breach, a subsequent “thorough data mining effort to identify potentially impacted individuals” revealed that names, Social Security numbers, and payment card information was exposed in the attack.

RGA discovered that individuals affected by this data breach had their personal information exposed on June 24 and completed its “data mining” efforts on September 1.

“Once potentially impacted individuals were identified, RGA worked to identify addresses and engage a vendor to provide call center, notification, and credit monitoring services,” RGA told impacted individuals in a data breach letter sent on September 15.

“RGA is also offering you two (2) years of complimentary credit monitoring and identity restoration services with Experian. RGA has also notified the Federal Bureau of Investigation, certain state regulators, and the consumer reporting agencies of this incident as required.”

ProxyLogon: Catalyst to the Data Breach

The hacking campaign RGA refers to in its data breach notification letter targeted more than a quarter of a million Microsoft Exchange servers, owned by tens of thousands of organizations around the world.

The attackers exploited four zero-days (collectively known as ProxyLogon) in attacks targeting on-premises Microsoft Exchange servers in indiscriminate attacks against orgs from multiple industry sectors worldwide, with the end goal of stealing sensitive information.

At the time of the attack, Microsoft stated that the Chinese state-sponsored hacking group known as Hafnium was behind some of these attacks.

ProxyLogon Attack Map. Source: WeLiveSecurity
ProxyLogon Attack Map. Source: WeLiveSecurity

“Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs,” Microsoft said.

In July, the company’s attribution was confirmed when the US and allies, including the European Union, the United Kingdom, and NATO, officially blamed China for this widespread Exchange hacking campaign.

Attack History Of The Exploits And Threat Actors That Used Them

The Biden administration attributed “with a high degree of confidence that malicious cyber actors affiliated with PRC’s MSS conducted cyber-espionage operations utilizing the zero-day vulnerabilities in Microsoft Exchange Server disclosed in early March 2021.”

The four zero-days that make ProxyLogon are as follows:

The Server-Side Request Forgery (SSRF) vulnerability provides a remote actor with admin access by sending a specially crafted web request to a vulnerable Exchange Server. The web request contains an XML SOAP payload directed at the Exchange Web Services (EWS) API endpoint. The SOAP request bypasses authentication using specially crafted cookies and allows an unauthenticated, remote actor to execute EWS requests encoded in the XML payload and ultimately perform operations on users’ mailboxes. This vulnerability, combined with the knowledge of a victim’s email address, means the remote actor can exfiltrate all emails from the victim’s Exchange mailbox.

Organizations that received this letter were companies that received threats in August and September of 2020. Analysis of this new wave of ransom letters suggests that the same threat actors from the middle of 2020 are behind these malicious communications.

A post-authentication insecure deserialization vulnerability in the Unified Messaging service of a vulnerable Exchange Server allows commands to be run with SYSTEM account privileges. The SYSTEM account is used by the operating system and services that run under Windows. By default, the SYSTEM account is granted full control permissions to all files. A malicious actor can combine this vulnerability with stolen credentials or with the previously mentioned SSRF vulnerability to execute arbitrary commands on a vulnerable Exchange Server in the security context of SYSTEM.

CVE-2021-26858 AND CVE-2021-27065
Both of these post-authentication arbitrary files write vulnerabilities allow an authenticated user to write files to any path on a vulnerable Exchange Server. A malicious actor could leverage the previously mentioned SSRF vulnerability to achieve admin access and exploit this vulnerability to write web shells to virtual directories (VDirs) published to the internet by the server’s Internet Information Server (IIS). IIS is Microsoft’s web server, a dependency that is installed with Exchange Server and provides services for Outlook on the web, previously known as Outlook Web Access (OWA), Outlook Anywhere, ActiveSync, Exchange Web Services, Exchange Control Panel (ECP), the Offline Address Book (OAB) and Autodiscover.


SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.