InfoSecBulletin Cybersecurity for mankind
Amnesty International’s Security Lab discovered a cyber-espionage campaign in Serbia, where officials used a zero-day exploit from Cellebrite to unlock a student activist’s Android phone.
On December 25, 2024, an attack used flaws in Linux kernel USB drivers to bypass the lock screen on a Samsung Galaxy A32.
CVSS 10.0 Flaw
Critical flaw in Siemens OZW Web Servers Enable Unauthenticated RCE
Microsoft Patch Tuesday May 2025: 72 flaws, 5 Actively Exploited Zero-Day
OTP glitch disrupted NID services across the country
Google to pay Texas $1.4 billion for location tracking practices
YouTube geo-blocks at least 4 Bangladeshi TV channels in India
Microsoft Patches Four Critical Azure and Power Apps Vulns
Qilin Ransomware topped April 2025 with 45+ data leak disclosures
SonicWall Patches 3 Flaws in SMA 100 Devices
Top Ransomware Actively Attacking Financial Sector: 406 Incidents Disclosed
Critical (CVSS 10) Flaw in Cisco IOS XE WLCs Allows RRA
Forensic analysis showed that vulnerabilities in an outdated USB driver were exploited to gain root access, allowing data theft and attempts to install surveillance software. This incident highlights the misuse of digital forensics tools on civil society and reveals significant weaknesses in Android’s defenses against physical attacks.
Exploit Chain Targets, USB Driver:
The attack used a complex series of fake USB devices to exploit memory corruption issues in the Linux kernel. Forensic logs reveal that authorities connected several harmful devices using Cellebrite’s Turbo Link adapter, including:
A Chicony CNF7129 UVC Webcam (VID:0x04f2) exploiting CVE-2024-53104, an out-of-bounds write in the USB Video Class driver’s frame-rate restriction quirk.
A Creative Extigy SoundBlaster (VID:0x041e) leveraging CVE-2024-53197, which allowed descriptor corruption during ALSA sound card initialization.
An Anton Touch Pad (VID:0x1130) exploiting CVE-2024-50302 to leak uninitialized kernel memory via HID reports.
These vulnerabilities, fixed in Linux kernel versions 6.6 and in the February 2025 Android Security Bulletin, originated from code written between 2010 and 2013.
Attackers exploited vulnerabilities to gain higher privileges, as kernel logs indicate root shell access occurred just 10 seconds after connecting the last USB HID device.
A 23-year-old student named “Vedran” was detained by plainclothes officers during protests against Serbia’s ruling party in December 2024. Device logs support his claims.
Post-exploitation activity included file system enumeration using find/grep and deployment of Cellebrite’s “falcon” binary for advanced data extraction. While the target APK installation failed due to a biometric lockout, the breach exposed call logs, messages, and protest coordination details.
Google’s Threat Analysis Group worked with Amnesty to address three CVEs, resulting in patches. However, more than 40% of Android devices were still unpatched as of March 2025 because of uneven vendor update cycles. On February 25, 2025, Cellebrite suspended its Serbian clients, stating:
“We found it appropriate to stop use of our products by relevant customers… Our compliance program ensures ethical, lawful use.”
Critics say the measure is not transparent because Cellebrite hasn’t revealed how long its suspension will last or the human rights protections for reinstatement. The company’s Premium UFED toolkit is still in use in 78 countries, despite reports of abuse in 12 states since 2022.
