Binary Check Ad Blocker Security News

As one of the largest information technology service providers to local governments, the cyber-attack on Tyler Technologies (Tyler) in Plano, Texas is a sobering reminder of how a cyber-attack on a third-party vendor can put government data at risk.

According to reports, Tyler may have been the victim of a ransomware attack that disrupted its internal network and telephone systems. Its corporate website was deactivated and the company was working on getting it back online. Tyler sent a message to its clients indicating that it “has no reason to believe that any client data, client servers, or hosted systems were affected” and that it is working with forensic investigators and law enforcement to investigate the incident.

The company provides software to local governments for enterprise resource planning, scheduling court hearings, collecting fines, payment of bills, managing open-data programs and sharing election data.

Security experts are recommending that any customers of Tyler complete a hard reset of passwords that Tyler technicians use to access their systems.

Keyboard to the internet

Tyler Technologies, the U.S.’s largest provider of software and services to the public sector said on Wednesday that it was hacked by unknown assailants, who gained “unauthorized access” to the company’s IT and phone systems.

Tyler, which sells software that supports a wide range of public sector functions such as permitting, inspections, 311 systems and utility billing said that it has hired independent IT experts to investigate the incident. The company’s MUNIS ERP (enterprise resource planning) technology is widely used by local governments across the U.S.

“We are treating this matter with the highest priority and working with independent IT experts to conduct a thorough investigation and response,” wrote Matt Bieri, the company’s Chief Information Officer in an email obtained by The Security Ledger. Tyler is also working with law enforcement.

The company’s web page displayed a message saying it was “temporarily unavailable” Wednesday evening.

In the email message to customers, Bieri said that the company discovered the intrusion Wednesday morning after the intruder “disrupted access to some of our internal systems” – a possible reference to ransomware.

Bieri told customers the intrusion was “limited to our internal network and phone systems” and that the company has “no reason to believe that any client data, client servers, or hosted systems were affected.”

However, security experts said those assurances weren’t worth much. The average dwell time for adversaries on compromised networks was 56 days in 2019, according to data from the firm FireEye.

“If that amount of time goes by, there’s plenty of time to look around for passwords,” said Michael Hamilton, the CISO of CI Security and a former Vice-Chair for the DHS State, Local, Tribal and Territorial Government Coordinating Council.

Tyler Technologies displayed a message that its web page was unavailable Wednesday following a cyber attack.

Hamilton worries that Tyler’s deep connections to local governments could have provided sophisticated adversaries with credentials needed to get a foothold on municipal networks – a particularly worrying prospect with a national election just over a month away in the U.S. and heightened concerns about cyber attacks on elections systems designed to sow chaos.

Michael Hamilton is the CISO of CI Security

Hamilton said clients he has consulted with who use MUNIS have complained that it does not support multi-factor authentication, and that Tyler technicians have a habit of accessing customer systems for maintenance “when they feel its necessary” – a practice that might complicate efforts to establish whether there have been suspicious patterns of activity related to Tyler systems.

Municipalities that use MUNIS or other Tyler systems should do a force reset of any passwords as a precaution, Hamilton advises. Also, IT security teams should review access logs related to Tyler support accounts to look for suspicious behavior including unusual session times or logins from unusual locations. That’s especially true for municipalities who are at increased risk of election-related tampering.