Editor's Note: On Wednesday, September 30th, CI Security convened a panel of local government experts to discuss the Tyler Technologies breach and what security teams in the public sector should be doing now to mitigate the risks. You can watch the video hosted by CI Security's Mike Hamilton above. Read on for the full story about the breach.
A large technology service provider to local government in the United States has been hit by ransomware and every customer likely needs to take action.
Tyler Technologies provides a variety of on-premise, cloud, and hosted applications that facilitate government operations from law enforcement to finance.
Tyler Technologies is in the process of responding to a security incident involving unauthorized access to our internal phone and information technology systems by an unknown third party. We are treating this matter with the highest priority and working with independent IT experts to conduct a thorough investigation and response.
Early in the morning on Wednesday, September 23, 2020, we became aware that an unauthorized intruder had disrupted access to some of our internal systems. Upon discovery and out of an abundance of caution, we shut down points of access to external systems and immediately began investigating and remediating the problem. That same morning, we engaged outside IT security and forensics experts to conduct a detailed review and help us securely restore affected equipment. We have implemented targeted monitoring to supplement the monitoring systems we already had in place, and we have notified law enforcement.
We have confirmed that the malicious software the intruder used was ransomware. Because this is an active investigation, we will not provide any additional specifics relating to our incident response or our investigation at this time.
Scope of Outage and Client Impact
Based on the evidence available to-date, all indications are that the impact of this incident was directed at our internal corporate network and phone systems. The environment where we host software for our clients is separate and segregated from our internal corporate environment.
Steps Our Clients Should Take
Because we have received reports of several suspicious logins to client systems, we believe precautionary password resets should be implemented.
Read more here: https://www.tylertech.com/
8 Security Actions for Tyler Tech Customers To Do Now
Breaking that down: Tyler Technologies both says the attack targeted internal systems and that there’s a possibility that criminals used credentials to get into customers' systems.
If you are a Tyler customer - out of an abundance of caution - there are eight priority action items you should do right now:
- Lock out Tyler logins. Now.
- Determine at the firewall if any Tyler-specific rules are in place, and if they include 1433 and/or 3389.
- Especially if those ports are open, check application and database logs for unexplained data transmissions or activity on RDP.
- Focus monitoring on Tyler applications.
- Review MUNIS and Tyler Connect application logs for unexplained logins. If there have been unexplained connections or data transmissions, begin scanning systems with a product that is different from the one you’re using for endpoint protection now. If there are lurking malware or control bots, you’ll need to find them quickly.
- If you suspect that unauthorized actors have accessed these systems or exfiltrated data, run a security detection tool on suspected systems. If results inconclusive, consider re-imaging.
- Suspicious log entries should be preserved and federal law enforcement contacted with findings. Try to preserve evidence using best practices in digital forensics - or hire an outside security firm with experts in computer forensics to assist in the investigation.
- Check with your organization to see if you’ve worked with Tyler on an upgrade. If so, you may have uploaded a database to the Tyler FTP site or other share location, and they may have had custody of your data during the ransom event. Check your records for proof of destruction/removal.
All Tyler customers need to act now.
Local Government Security Questions? We can help.
CI Security was founded with the mission to protect and defend the life-supporting and life-saving critical systems upon which our communities depend.
If you are a local government customer of Tyler Technologies, or you are a public sector official looking to get additional information on this breach as we head into the November elections, you can get in contact with Mike Hamilton and our team of security experts here.