Amnesty International has reported that a zero-day exploit sold by the exploit vendor Cellebrite was used to compromise the mobile phone of a Serbian student known for his critical stance toward the Serbian government. This revelation sheds light on the ongoing use of spyware by governmental authorities in Serbia as part of a broader strategy of surveillance and intimidation against civil society.
The human rights organization had previously highlighted concerns regarding the Serbian government’s extensive use of spyware in December, alleging it formed part of a concerted effort to exert control and suppress dissent. At that time, Amnesty accused the government of employing exploits from both Cellebrite and NSO Group, another controversial vendor in this arena. Subsequently, Cellebrite announced that it had paused sales to certain clients in Serbia in response to these allegations.
In its latest findings, Amnesty International revealed evidence suggesting that Cellebrite has sold an advanced attack chain capable of bypassing lock screens on fully-updated Android devices. This exploit specifically targeted a Serbian student critical of government actions. The attack harnessed a series of vulnerabilities within the Linux kernel device drivers, necessary for functioning with USB hardware.
The new evidence underscores that the Serbian authorities have persisted with their surveillance activities against civil society, despite rising domestic and international calls for reform. Amnesty International emphasizes that this pattern of behavior continues even after their previous reports and inquiries into the misuse of surveillance technologies were made public.
Amnesty’s investigators first encountered elements of the attack chain while examining an unrelated incident that involved a similar Android lock screen bypass. The ongoing developments indicate a worrying trend in cyber surveillance tactics used against individuals challenging governmental authority.
From a cybersecurity perspective, this incident may illustrate several methods described in the MITRE ATT&CK framework. Key tactics could include initial access through exploitation of external services, persistence via maintaining footholds in compromised systems, and privilege escalation achieved through exploiting known vulnerabilities in device drivers.
The broader implications of these findings highlight the crucial need for businesses to remain vigilant about the evolving landscape of cyber threats, particularly those that exploit emerging vulnerabilities in widely-used software and hardware platforms. As governments potentially utilize sophisticated exploit technologies against their own citizens, the risk of collateral damage to data security frameworks within commercial enterprises also rises.
