Some Tyler Technologies Customers Targeted with The Installation of a Bomgar Client
One of our readers, a Tyler Technologies's customer, reported to us that he found this morning the Bomgar client[1] (BeyondTrust) installed on one of his servers. There is an ongoing discussion on Reddit with the same kind of reports[2].
On September 23rd, Brian Krebs posted an article about an attack against Tyler Technologies[3]. Yesterday, the post was updated with the following communication from Tyler Technologies:
We apologize for the late-night communications, but we wanted to pass along important information as soon as possible. We recently learned that two clients have report suspicious logins to their systems using Tyler credentials. Although we are not aware of any malicious activity on client systems and we have not been able to investigate or determine the details regarding these logins, we wanted to let you know immediately so that you can take action to protect your systems
If you're also one of their customers, it could be interesting to have a look at suspicious remote access.
[1] https://www.beyondtrust.com/remote-support/features/jump-clients-remote-access
[2] https://www.reddit.com/r/k12sysadmin/comments/iyw2ve/tyler_technologies_ransomware_attack/
[3] https://krebsonsecurity.com/2020/09/govt-services-firm-tyler-technologies-hit-in-apparent-ransomware-attack/
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Reverse-Engineering Malware: Malware Analysis Tools and Techniques | Frankfurt | Dec 9th - Dec 14th 2024 |
Comments
Anonymous
Sep 28th 2020
4 years ago
1. are aware of this
2. really remove/disable the client
I presume that's why they asked their customers to reset passwords linked to remote access.
Anonymous
Sep 28th 2020
4 years ago
Anonymous
Sep 28th 2020
4 years ago
I don't say this is bad to have a remote access tool used by a contractor. These are part of the toolbox to perform the tasks they are paid for. But customers must remain aware that such tools are installed and available. Some questions to ask yourself:
- who can use these tools?
- do they have 24x7 access or it's enabled "on demand"?
- why do they connect? (keep a log of access and reasons)
Anonymous
Sep 28th 2020
4 years ago
Anonymous
Sep 29th 2020
4 years ago
Edit I see other reports that Azure anomalies might be the culprit...... carry on.
Anonymous
Sep 29th 2020
4 years ago