Texas-based software giant Tyler Technologies has warned clients that they should update their support passwords connected with remote-access accounts, following reports of suspicious login activity.

The largest software provider for the US public sector, with clients including the US government, Tyler Technologies recently reported that it had been struck by an attack using crypto ransomware. The assault on the company was executed using the well-documented operation known as RansomExx/Defray777, which not only disrupted the software provider’s operations but effectively encrypted its devices.

Suspicious login activity identified

In order to create a dedicated support channel for remote use, clients of Tyler Technologies can create specific accounts that the software provider’s staff are then able to use. The support accounts then give them remote authorised access to the client’s network so they can assist.

In a recent email issued to customer Chief Information Officer (CIO) for Tyler Technologies, Matt Bieri warned that access credentials used to access accounts remotely had been noticed as being employed to action suspicious logins. The communication from the CIO read:

“We apologise for the late-night communication, but we wanted to pass along important information as soon as possible. We recently learned that two clients have reported suspicious logins to their systems using Tyler credentials. Although we are not aware of any malicious activity on client systems and we have not been able to investigate or determine the details regarding these logins, we wanted to let you know immediately so that you can take action to protect your systems.”

Protection from ransomware risks

It is unclear if the suspicious activity reported relates in any way to the recently revealed attack using ransomware against the software provider, but to safeguard their interests, clients have been advised by Tyler Technologies to immediately alter their passwords connected to accounts as a precaution. As CIO, Bieri has also requested for any clients who come across login instances that appear suspect to report them at once to Tyler Technologies.

When ransomware raids are carried out by human attackers, threat operators can be present on a company’s network for several weeks prior to launching their encryption tools and ransomware. During this reconnaissance period, ransomware groups will infiltrate the wider network, spreading outward employing dark webs solutions such as Mimikatz to acquire user account credentials.

As they spread across an enterprise’s network, they will often scour and view many of the target’s files that are unencrypted and open to view. The data is then evaluated, with threat operators ranking its confidentiality and usefulness in acting as leverage that may force a company to pay up the requested ransom.

Among such information, invading hackers like ransomware groups may discover spreadsheets containing customer account credentials and saved credentials like logins within VPN clients, both of which may allow them to access a client’s company network. If the operators who attacked Tyler Technologies accessed credentials during the network breach, they could then exploit this information to hit the software provider’s customers.