Cellebrite got into Trump shooter's Samsung device in just 40 minutes

4 months ago 30
BOOK THIS SPACE FOR AD
ARTICLE AD

Infosec in brief Unable to access the Samsung smartphone of the deceased Trump shooter for clues, the FBI turned to a familiar – if controversial – source to achieve its goal: digital forensics tools vendor Cellebrite.

Cellebrite has been used for years by law enforcement to break into locked smartphones. In this case the shooter's device was a newer model, rendering their existing Cellebrite systems useless. Undeterred, law enforcement called Cellebrite's support team, and the vendor quickly delivered an updated version of their software.

The unreleased software, Bloomberg reported citing people familiar with the matter, cracked the phone within 40 minutes.

Cracking of devices in this way isn't welcomed by manufacturers, who have long opposed government and law enforcement's desire to weaken encryption on devices. Apple famously faced off against the US Attorney General in early 2020, refusing to allow the FBI access to a mass shooter's device because it would require Apple to develop a backdoor that would inevitably find its way into the darker corners of the internet.

"We have always maintained there is no such thing as a backdoor just for the good guys," Apple said in 2020.

With cooperation refused by smartphone-makers, Cellebrite relies zero-days and undiscovered vulnerabilities in devices to break through systems without vendor permission.

But according to recently-leaked internal documents from Cellebrite, Apple users might not have that much to worry about – many newer iPhones and versions of iOS remain inaccessible to the cracker’s tools.

404 Media reported it had obtained internal Cellebrite documents from April 2024 indicating that the biz was (as of April, at least) unable to access any Apple device running iOS 17.4 or later, and most devices running iOS 17.1 to 17.3.1 – with the exception of the iPhone XR and 11.

Most Android devices aside from some Google Pixel models are vulnerable, however.

It's not clear which particular model the Trump shooter owned but, given the fact pre-release Cellebrite software could crack it, it's safe to assume this privacy arms race is ongoing.

Critical vulnerabilities of the week: Oracle update time

It might be a week off from the regular Patch Tuesday cadence, but Oracle leads the vulnerability news this week with a July security advisory with 386 new security patches in it.

Of those, around 90 earned a CVSS score above 8.0, so best get those Oracle updates installed asap.

Along with the usual bevy of industrial control system advisories, there were a few critical vulnerabilities spotted under active exploit this week, too:

CVSS 9.8 – CVE-2024-34102: Certain versions of Adobe Commerce are improperly restricting XML external entity references, allowing for arbitrary code execution without user interaction. CVSS 9.8 – CVE-2024-36401: Some versions of OSGeo's GeoServer are allowing for multiple OGC requests, which could lead to RCE from unauthenticated users. CVSS 6.5 – CVE-2022-22948: VMware vCenter Server has incorrect default file permissions, allowing a non-administrative user to gain access to sensitive information.

Russia's less-capable hackers get sanctioned

The US government has sanctioned a pair of cyber criminals associated with the so-called "Cyber Army of Russia" (CARR).

Yulia Vladimirovna Pankratova and Denis Olegovich Degtyarenko have been accused of being the ringleader and primary hacker, respectively of the CARR crew, which the State Department alleged has broken into several critical infrastructure systems in the US since 2022.

While the pair and CARR have had some success, they’re not rated a serious threat or Moscow’s top operatives.

"Despite CARR briefly gaining control of … industrial control systems, instances of major damage to victims have thus far been avoided due to CARR's lack of technical sophistication," the Treasury department continued, casting subtle shade.

Senators demand answers from Snowflake

Analytics vendor Snowflake has officially been put on notice by Congress, with a pair of Senators writing a letter [PDF] to the firm last week asking them to explain how such an easily-preventable security disaster was allowed to happen.

"Disturbingly, the Ticketmaster and AT&T breaches appears to have been easily preventable," the pair wrote, pointing to the fact that access to compromised Snowflake accounts was largely due to stolen and reused passwords and failure to use multifactor authentication.

"The recent AT&T disclosure – three months after the breach and following other announced breaches – raises concerns that we still do not know the full scope or impact of the campaign targeting Snowflake customers," the Senators asserted, giving Snowflake until July 29 to provide an explanation.

COVID test record database found exposed online

Security researcher Jeremiah Fowler, who has made a habit of finding unsecured and sensitive data online, has found some more – this time nearly 150,000 records totaling 12GB containing COVID screening results.

The records – all of which reportedly belong to on-site medical staffing firm InHouse Physicians – include COVID-19 screening results from conferences and other events. Included in the test result records are names and phone numbers of individuals Fowler said he was able to use to "easily obtain further identification details" on the individuals in the database.

InHouse Physicians shut down access to the database after Fowler reported it. It’s not clear if it had already been accessed by someone with more malicious intent.

New APT41 campaign discovered

Google threat hunters have spotted a new sustained campaign being run by Chinese threat actor APT41 – aka Barium Wicked Panda, etc. – targeting global shipping and logistics companies around the world.

The ultimate goal of the attacks appears to be gaining persistence and establishing a connection with APT41-controlled infrastructure for the exfiltration of sensitive data, with Mandiant reporting it's seen the attack using SQLULDR2 to snag data from Oracle databases, and PINEGROVE to swipe large volumes of data from compromised networks to be exfiltrated to OneDrive.

Mandiant included indicators of compromise in its report. You know what to do with those. ®

Read Entire Article