Our reporting this week highlighted the potential risks associated with the sale of sensitive geolocation data. The US Federal Trade Commission (FTC) filed a lawsuit against the US-based data broker Kochava for selling geolocation data collected from millions of mobile devices in what it perceives to be a mass surveillance campaign. Kochava provides clients with access to its customers’ locations via a USD 25,000 subscription to online data marketplaces, such as Amazon Web Services Marketplace, in addition to providing a free sample dataset. Its geolocation data can identify the physical location of Kochava mobile customers, including visits to reproductive health facilities, domestic violence shelters, and addiction services. This information could further expose individuals to risks of stalking, discrimination, loss of employment, and physical violence.

In addition to the individual impact, we have also observed that similar services have been abused by suspected nation-state affiliated entities to track political dissidents, members of opposition groups, activists, and other persons of interest, for cyber espionage purposes. In one instance, the Nexta Live mobile application was downloaded thousands of times and used to conduct covert data collection on anti-government Belarusian protesters. If it is upheld, we assess that the FTC’s lawsuit will deter other US-based data brokers from selling geolocation data. However, if it is dismissed, a lack of legal precedent may embolden similar private entities to sell geolocation data without fear of legal repercussions.

Key Vulnerabilities

  1. CVE-2022-3075
    A high severity zero-day vulnerability (CVSS: 8.9|OVSS: 26) caused by insufficient data validation in Mojo, Google Chrome’s inter- and intra-process communication system, which is being exploited in the wild. Chrome users are recommended to upgrade to version 105.0.5195.102 for Windows, macOS, and Linux.
  2. CVE-2022-29805
    A Java deserialization (CVSS: 9.8|OVSS: 26) in the Fishbowl Server in Fishbowl Inventory affecting versions before 2022.4.1. If exploited, this vulnerability allows remote threat actors to execute arbitrary code via a crafted Extensible Markup Language (XML) payload.
  3. CVE-2022-36804
    A command injection vulnerability (CVSS: 8.8|OVSS: 9) in multiple API endpoints of Bitbucket Server and Data Center affecting versions released after 6.10.17 up to 8.3.0. If exploited, this vulnerability could allow an adversary with access to a public Bitbucket repository or read permissions to a private Bitbucket repository to execute arbitrary code through HTTP requests. A proof-of-concept exploit for this vulnerability may be released soon, leading to in the wild exploitation.

Key Intelligence Reports

  1. Montenegro subjected to alleged Russian cyber campaign
    The Prime Minister of Montenegro, Dritan Abazovic, has announced the country fell victim to a ‘major cyberattack’ that compromised the computer systems of several state bodies, including the finance ministry, on 26 Aug.
    Read full report >>
  2. Location data broker Kochava sued for selling sensitive geolocation data
    The US Federal Trade Commission (FTC) has filed a lawsuit against US-based location data broker Kochava for selling sensitive geolocation data (geo data) it collected from millions of mobile devices.
    Read full report >>
  3. Ragnar Locker ransomware claims compromise of TAP Air, Portugal’s flag airline carrier
    TAP claims that it mitigated the attack and has not identified evidence that Ragnar Locker operators successfully accessed any customer information stored on the targeted servers.
    Read full report >> 

If you come across any issues or need assistance, please do not hesitate to reach out to Secrutiny. 

What is OVSS?

The Orpheus Vulnerability Severity Score (OVSS) helps companies understand the risk associated with particular vulnerabilities. Orpheus does this by adding additional context on the likely threat to and impact of CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score.

The Orpheus Vulnerability Severity Score (OVSS)