Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Some Tyler Technologies Customers Targeted with The Installation of a Bomgar Client SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Some Tyler Technologies Customers Targeted with The Installation of a Bomgar Client

One of our readers, a Tyler Technologies's customer, reported to us that he found this morning the Bomgar client[1] (BeyondTrust) installed on one of his servers. There is an ongoing discussion on Reddit with the same kind of reports[2].

On September 23rd, Brian Krebs posted an article about an attack against Tyler Technologies[3]. Yesterday, the post was updated with the following communication from Tyler Technologies:

We apologize for the late-night communications, but we wanted to pass along important information as soon as possible. We recently learned that two clients have report suspicious logins to their systems using Tyler credentials. Although we are not aware of any malicious activity on client systems and we have not been able to investigate or determine the details regarding these logins, we wanted to let you know immediately so that you can take action to protect your systems

If you're also one of their customers, it could be interesting to have a look at suspicious remote access.

[1] https://www.beyondtrust.com/remote-support/features/jump-clients-remote-access
[2] https://www.reddit.com/r/k12sysadmin/comments/iyw2ve/tyler_technologies_ransomware_attack/
[3] https://krebsonsecurity.com/2020/09/govt-services-firm-tyler-technologies-hit-in-apparent-ransomware-attack/

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Paris November 2020

Xme

563 Posts
ISC Handler
Sep 28th 2020
We are a Tyler customer. Sometimes their techs will install the Bomgar jump client on your servers when they are troubleshooting issues. They don't remove it, it is left to the local entity to remove it or at least disable the service until it is needed again.
Jared

3 Posts
Thank you for sharing this. I'd say that "it is left to the local entity to remove it or at least disabled it" is not very secure. I'm curious about how many customers:
1. are aware of this
2. really remove/disable the client
I presume that's why they asked their customers to reset passwords linked to remote access.
Xme

563 Posts
ISC Handler
I have reporting in our IDS specifically for "remote clients". I can see when they are left on and calling home. Also will call users when I see an alert to make sure they are actively in a troubleshooting session with the vendor. A lot of vendors, especially in the local government sector expect customers to install these clients and leave them on. They are truly offended when you tell them no, same on the SCADA side of things.
Jared

3 Posts
Quoting Jared:I have reporting in our IDS specifically for "remote clients". I can see when they are left on and calling home. Also will call users when I see an alert to make sure they are actively in a troubleshooting session with the vendor. A lot of vendors, especially in the local government sector expect customers to install these clients and leave them on. They are truly offended when you tell them no, same on the SCADA side of things.


I don't say this is bad to have a remote access tool used by a contractor. These are part of the toolbox to perform the tasks they are paid for. But customers must remain aware that such tools are installed and available. Some questions to ask yourself:
- who can use these tools?
- do they have 24x7 access or it's enabled "on demand"?
- why do they connect? (keep a log of access and reasons)
Xme

563 Posts
ISC Handler
Something to ask Tyler if you are a customer; was the BeyondTrust system secured with Multifactor authentication? (it natively supports rotating OTP codes, you just have to switch it on).
Anonymous
Any linkage to the E911 system failures which occurred briefly today?
Edit I see other reports that Azure anomalies might be the culprit...... carry on.
Taxmanhog

7 Posts

Sign Up for Free or Log In to start participating in the conversation!