FOCUS MODE
EXTRACT IOC
MINDMAP
Threat Research

Cellebrite zero-day exploit used to target phone of Serbian student activist – Amnesty International Security Lab

iocOne
Cellebrite zero-day exploit used to target phone of Serbian student activist – Amnesty International Security Lab
Amnesty International’s Security Lab revealed a case of Cellebrite’s forensic tools being misused to surveil a youth activist in Serbia. Subsequent investigations indicated that the Serbian authorities continue to exploit such tools for illegitimate surveillance of civil society despite international criticism. Further research highlighted zero-day vulnerabilities in Android USB drivers potentially affecting over a billion devices. Affected: Serbia, civil society, youth activists

Keypoints :

  • Amnesty International’s Security Lab uncovered the misuse of Cellebrite’s technology on a youth activist’s phone in Serbia.
  • The incident is part of a broader pattern of surveillance against civil society by Serbian authorities.
  • Cellebrite has suspended the use of its products by relevant customers in Serbia as a response.
  • Evidence from the exploit indicates reliance on advanced zero-day vulnerabilities targeting Android USB drivers.
  • The attack exposes potential risks affecting numerous Android devices due to their security architecture.
  • Collaboration among security researchers and civil society has led to the identification and patching of multiple vulnerabilities.
  • Amnesty International continues to advocate for stronger legal protections against unlawful surveillance practices.

MITRE Techniques :

  • Tactic: Initial Access – Technique ID: T1078 (Valid Accounts) – The attackers utilized acquired access to bypass device lock screens.
  • Tactic: Execution – Technique ID: T1203 (Exploitation for Client Execution) – Leveraged zero-day vulnerabilities for remote code execution.
  • Tactic: Impact – Technique ID: T1200 (Data Manipulation) – Attempted to install unauthorized applications post-exploitation.
  • Tactic: Defense Evasion – Technique ID: T1071 (Application Layer Protocol) – Exploited normal USB connection protocols to gain unauthorized access.
  • Tactic: Discovery – Technique ID: T1087 (Account Discovery) – Post-exploitation, researchers collected data about additional user accounts and device configurations.

Indicator of Compromise :

  • [IP Address] 192.168.1.1 (common example, replace with specific IOCs if found)
  • [Domain] example[. ]com (common example, replace with specific IOCs if found)
  • [Domain] malicious[. ]com (common example, replace with specific IOCs if found)
  • [Hash] MD5: 5d41402abc4b2a76b9719d911017c592 (common example, replace with specific IOCs if found)
  • [Email Address] attacker@example[. ]com (common example, replace with specific IOCs if found)

Full Story: https://securitylab.amnesty.org/latest/2025/02/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist/

Views: 18

Tags: VULNERABILITY, DISCOVERY, TOOL, EXPLOIT, LINUX, GOVERNMENT, INITIAL ACCESS, IMPACT
en en