Customers of Tyler Technologies, one of the biggest software providers for the US state and federal government, are reporting finding suspicious logins and previously unseen remote access tools (RATs) on their networks and servers.
The reports come days after Tyler Technologies admitted last week to suffering a ransomware attack.
The Texas-based company said that an intruder gained access to its internal network on the morning of Wednesday, September 23.
The intruder installed ransomware that locked access to some of the company’s internal documents.
Tyler initially played down the incident
Tyler played down the incident and said that only its internal corporate network and phone systems were impacted.
Its cloud infrastructure, where the company hosts its customer-facing applications, was not impacted, the company said in a statement published on its website and via emails sent to customers last week.
But over the weekend, the situation changed as Tyler made headway investigating the incident. The company changed its statement on Saturday.
“Because we have received reports of several suspicious logins to client systems, we believe precautionary password resets should be implemented,” the company said.
“If clients haven’t already done so, we strongly recommend that you reset passwords on your remote network access for Tyler staff and the credentials that Tyler personnel would use to access your applications, if applicable.” [emphasis Tyler’s]
Customers report remote access tools on their servers
At the same, some of Tyler’s customers also reported seeing new software installed on their systems.
“If you’re a Tyler customer check your servers for Bomgar that they installed,” wrote one of many users on Reddit over the weekend.
A similar report followed on Monday from cyber-security training outfit SANS.
“One of our readers, a Tyler Technologies’s customer, reported to us that he found this morning the Bomgar client (BeyondTrust) installed on one of his servers,” said Xavier Mertens, one of the SANS ISC handlers.
According to users, Tyler uses the Bomgar client to manage its servers, but some reports claim the software was not installed prior to this weekend, prompting some to panic.
While Tyler insists in its updated statement that the attack was aimed at its internal system, customers now believe attackers might have gained access to passwords for Tyler’s web-hosted infrastructure that were stored on the company’s local network — and attackers are now escalating access to Tyler’s client networks.
While the Tyler Technologies name might not say anything to the regular American, the ransomware attack on this company’s network might quietly become one of the biggest cyber-attacks of the year, if indeed attackers gained access to passwords for customer networks and the Reddit and SANS reports aren’t isolated cases.
According to its website, Tyler provides more than 50 types of web-based applications to the US public sector, such as student and school management software, public transport management solutions, jail management, courts and jury management systems, cyber-security solutions, tax and billing software, fire and EMS solutions, and entire city staff management systems, known as “Munis,” just to name a few.
According to Reuters, which first broke the story about the ransomware attack, some of Tyler’s software is also scheduled to be used in the upcoming US presidential election — for communicating vote results from voting stations to election officials.
The gang behind the Tyler attack was identified as the RansomExx group.