IBM Kernel-Based Vulnerability Discovered (Dec 21, 2018)
Researchers from Trustwave found a kernel-based vulnerability in IBM's "Trusteer Rapport" driver for macOS. Trusteer Rapport is an endpoint protection solution that is designed to protect users against financial malware and phishing attacks. This vulnerability could allow for privilege escalation on the local device, letting a potential threat actor to disable Trusteer completely. According to Trustwave, IBM was unable to successfully develop a patch for the vulnerability within the 90-day disclosure timeframe, despite Trustwave extending it an extra 30 days on top of that before disclosing the vulnerability to the public. The bug is a result of a signed bug issue.
Recommendation: Whilst no patch is available, there are several ways users can protect themselves. Users should ensure that they require local access to verify that only authorized users have access to the systems and can log on. Ensure that your organization is using good basic cyber security habits. It is important that organizations and their employees use strong passwords that are not easily-guessable and do not use the default administrative passwords provided because of their typically weak security. Update firewalls and antivirus software to ensure that systems can detect breaches or threats as soon as possible to reduce the severity of consequences. Educate employees on the dangers of phishing emails and website, and teach them how to detect malicious emails. It is also recommended to encrypt any sensitive data at rest and in transit to mitigate damage of potential breaches.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.