How to find SysAid Help Desk instances

How to find SysAid Help Desk instances #

On the evening of November 8th Microsoft Threat Intelligence announced that they had discovered attacks by a ransomware gang against the SysAid Help Desk software using a zero-day exploit (CVE-2023-47246). These attacks leveraged a directory traversal vulnerability to upload a web shell and deliver the ransomware payload. SysAid has since published an advisory, complete with indicators of compromise, and made a patch available to customers. The Rapid7 blog has additional information about this issue.

What is SysAid Help Desk? #

SysAid provides IT help desk and ITSM software as both a cloud service and through an on-premise option.

Are updates available? #

SysAid Help Desk has released version 23.3.36 to address this issue.

How do I find potentially vulnerable versions of SysAid Help Desk with runZero? #

SysAid Help Desk services can be found by navigating to the Service Inventory and using the following query:

_asset.protocol:{http} AND protocol:{http} AND (_service.favicon.ico.image.md5:="5f30870725d650d7377a134c74f41cfd" OR last.html.title:"SysAid")

Results from the above query should be triaged to determine if they require patching or vendor intervention.

As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.

Get runZero for free

Don’t have runZero and need help finding SysAid Help Desk instances?

Get started