Tyler Technologies Warns Clients To Change Remote Support Passwords

Tyler Technologies is warning clients to change the passwords for the technology provider’s remote access accounts after suspicious logins have been reported.

Earlier this week, we reported that government technology services provider Tyler Technologies suffered a ransomware attack this past Sunday.

This attack was performed by the RansomExx/Defray777 operation, who encrypted the company’s devices and disrupted operations.

Remote support accounts used in suspicious logins

To provide remote support, some clients create accounts that the Tyler Technologies staff use to gain remote access to their network. 

In an email sent late last night from Tyler Technologies and seen by BleepingComputer, CIO Matt Bieri is warning customers that “Tyler credentials” used for remote access were reported as being used to perform suspicious logins.

“We apologize for the late-night communication, but we wanted to pass along important information as soon as possible. We recently learned that two clients have reported suspicious logins to their systems using Tyler credentials. Although we are not aware of any malicious activity on client systems and we have not been able to investigate or determine the details regarding these logins, we wanted to let you know immediately so that you can take action to protect your systems,” Tyler Technology CIO Matt Bieri emailed clients. 

It is not known if these reports of suspicious activity are related to the recent ransomware attack, but to be safe, they are advising their clients to change all passwords for accounts used by Tyler Technologies.

Also Read: 8 Simple Ways To Improve Your Website Protection

“Given this new information, and if you haven’t already done so, we strongly recommend that you reset passwords on your remote network access for Tyler staff, and the credentials that Tyler personnel would use to access your applications, where applicable. Although we do not have enough information to know whether this evening’s reports of suspicious activity are related to the ongoing investigation of unauthorized access to Tyler’s internal systems, we believe precautionary password resets should be implemented,” the email advised.

Bieri asks any clients who detect suspicious logins to report them to Tyler Technologies immediately.

Could attackers have access to client’s networks?

When human-operators ransomware attacks are conducted, the attackers are commonly on the network for days, if not weeks, before deploying the ransomware and encrypting devices.

During this time, the ransomware operators will spread laterally through a network, while using tools like Mimikatz to obtain account credentials.

While spreading laterally, the attackers will also peruse victim’s files and steal unencrypted data. This data is then analyzed for sensitive information to be used as leverage to get a victim to pay the ransom.

Some of this information could be saved login credentials in VPN clients or even a spreadsheet that contains account credentials for remote access to client’s networks.

If this is the case, the attackers who breached Tyler Technologies could also use this stolen information to breach clients.

To be safe, all customers should immediately change the passwords to any accounts used by Tyler Technologies’ staff to access their network.

Also Read: How To Check Data Breach And How Can We Prevent It