Security Experts:

Tyler Technologies Says Customers Reported Suspicious Logins

Tyler Technologies, a major provider of software and services for state and local governments in the United States, has advised customers to reset remote network access passwords after a couple of customers reported suspicious logins.

Tyler recently launched an investigation after its internal corporate network was hit by ransomware. It’s currently unclear if the suspicious logins are related to the recent ransomware incident, but as a precaution the company has advised clients who haven’t already done so to reset the passwords that Tyler staff use to remotely access their network and applications.

“We recently learned that two clients have reported suspicious logins to their systems using Tyler credentials. Although we are not aware of any malicious activity on client systems and we have not been able to investigate or determine the details regarding these logins, we wanted to let you know immediately so that you can take action to protect your systems,” Matt Bieri, the CIO of Tyler Technologies, told customers.

“Although we do not have enough information to know whether this evening’s reports of suspicious activity are related to the ongoing investigation of unauthorized access to Tyler’s internal systems, we believe precautionary password resets should be implemented,” he added.

In updates posted on its website over the weekend, Tyler said it became aware of unauthorized access to some of its internal systems, including phone and IT systems, early in the morning of September 23. Some systems were shut down and an investigation was launched.

The company has confirmed being targeted with a piece of ransomware — it was the RansomExx ransomware according to some reports — but it’s not sharing additional technical information due to its ongoing investigation. An investigation is also being conducted by law enforcement.

The operators of the RansomExx ransomware are not known to steal data from targeted organizations, and Tyler says it has found no evidence that the environment hosting customer systems, which is separate from the corporate network, was also impacted.

Tyler has also responded to reports that some customers were unable to make court and utility payments due to the incident. The firm claims it has reviewed logs and it has found no evidence of disruption to payment services.

Some have also raised concerns related to the election-related services provided by the company to governments, and potential impact on elections resulting from this incident. However, Tyler pointed out that it does not make actual election software. Its Socrata open data platform can be used to post election results, promote campaign finance transparency, or post information on polling, but in reality very few use it for this purpose.

“Tyler's Socrata product is a SaaS data platform that is hosted offsite on AWS (Amazon Web Services), not on Tyler's internal network that was impacted. We have never had a report that a bad actor has used our Socrata platform to display incorrect or misleading election results, polling locations, campaign finance information, or other civic data,” Tyler said.

Related: University Project Tracks Ransomware Attacks on Critical Infrastructure

Related: Ransomware Disrupts Production at Australian Beverage Company Lion

Related: Data Center Provider Equinix Hit by Ransomware

Related: Development Bank of Seychelles Hit by Ransomware

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.