Tyler Technologies clients report suspicious logins following hack

Posting ID 127200
Date Added: 09/27/2020 5:59 PM EDT
Date Modified: 09/27/2020 6:05 PM EDT
Watch Floor

Description

Summary:                                                                                  

Software vendor Tyler Technologies said Saturday that some customers have reported suspicious logins in the days since Tyler warned it was the victim of a ransomware attack. The attack was performed by the RansomExx/Defray777 operation, who encrypted the company’s devices and disrupted operations. RansomExx recently attacked IPG Photonics and Konica Minolta.

 

The company said it had received reports of several suspicious logins to client systems via its internal network and clients were advised to reset passwords that Tyler staff would use to access customer versions of its software.

 

Tyler clients include more than 100 local governments across the US, including police and emergency dispatch and displaying (but not tabulating) election results. This is the second Texas based target for RansomExx, having targeted Texas Department of Transportation in June.

 

Impact Statement/Analysis:

While the RansomExx so far has operated by actors interested in profit, this attack creates the possibility for civil disruption. The suspicious logins may be an indication that the attackers have exfiltrated data from Tyler, a feature not seen in previous attacks.

 

With the backdoor password access, hostile actors could create short term disruption by affecting emergency dispatch; especially in areas with ongoing protests and civil unrest. Of larger concern, this could be used as part of a campaign to disrupt displaying election results. While Tyler’s software isn’t used to count the vote, a disruption to the display of the results could be used as part of a larger campaign to cast doubt on the results by a foreign adversary.

 

Comments:

The E-ISAC will continue to monitor this situation and provide relevant updates when necessary.  If you have any questions or comments, please reach out to us at operations@eisac.com or at 202-790-6000.

Category Type:
Cyber Security
TLP - White
Shared Count (15)
  • Canadian CERTs
  • CRISP - Cyber Risk Info Sharing Program
  • DHS - NICC, NCCIC, US-CERT, etc
  • DNG-ISAC
  • DOE Complex
  • E-ISAC AOO Members
  • E-ISAC Staff
  • FBI, LE Fusion
  • FERC - OEIS, etc
  • FS-ISAC
  • International (other ISACs, CERTs)
  • MS-ISAC
  • Other (inc. local/state commissions)
  • Trade Organizations
  • Watch Floor
Change History
  • Watch Floor, 09/27/2020