Tyler Technologies, Inc. is the largest provider of software to the United States public sector. The company last week disclosed a ransomware attack, and now its customers are reporting finding suspicious logins and previously unseen remote access tools on their networks.
The ransomware attack took place on September 23, the threat actors breached the network of the company and deployed the malware.
Tyler notified law enforcement and hired a forensics firm to investigate the incident and determine the extent of the incident.
Immediately after the attack company representatives declared that the incident only impacted the internal network and phone systems.
“Early in the morning on Wednesday, September 23, 2020, we became aware that an unauthorized intruder had disrupted access to some of our internal systems.” reads a statement issued by the company.
“We have confirmed that the malicious software the intruder used was ransomware.”
According to Tyler Technologies, the cloud infrastructure was not impacted and data of its customers were not affected.
“Based on the evidence available to-date, all indications are that the impact of this incident is limited to our internal corporate network and phone systems, and that there has been no impact on software we host for our clients.” continues the statement. “Our hosted environment is separate and segregated from our internal corporate environment.”
Further investigation revealed a different situation, as confirmed by some changes to the statement published by the company during the weekend. The statement explicitly refers to several suspicious logins to client systems that forced it to reset password as a precautionary measure.
“Because we have received reports of several suspicious logins to client systems, we believe precautionary password resets should be implemented,” the company said.
“If clients haven’t already done so, we strongly recommend that you reset passwords on your remote network access for Tyler staff and the credentials that Tyler personnel would use to access your applications, if applicable.”
Following the incident, some of Tyler’s customers also reported observing new remote access software, the Bomgar client, installed on their servers.
This circumstance suggests that attackers might have gained access to passwords for Tyler’s web-hosted infrastructure and moved to the company’s client networks.
“The hack prompted wide concern among local officials because some of Tyler’s programs are used to display election results, and U.S. intelligence agencies recently warned that foreign governments might try to sow mistrust by altering sites that report votes, which is seen as easier than changing the results themselves.” reported the Reuters.
“Tyler said the attack had no impact on the software it hosts for clients, and the software it sells that displays election results is hosted by Amazon and so was not at risk.”
According to Reuters, which first broke the story about the ransomware attack, some of Tyler’s software is also scheduled to be used in the upcoming US presidential election — for aggregating voting results from other sources into central dashboards.”
Some reports circulating online speculate the company was infected with the RansomExx ransomware.
The RansomEXX is human-operated ransomware, this means that attackers manually infected the systems after gained access to the target network.
The good news is that the RansomEXX ransomware, unlike other families of ransomware, does not appear to exfiltrate data before encrypting target systems.
(SecurityAffairs – hacking, Tyler Technologies)