Cyber Week in Review: November 19, 2021

FBI website compromised and used to send hoax email to thousands 

The FBI website was exploited over the weekend and used to send a hoax email to tens of thousands of email addresses. The exploit likely originated from a coding oversight in the FBI’s Law Enforcement Enterprise Portal (LEEP), which the FBI uses to share resources with those who sign up with the service. In an interview with Krebs on Security, the individual who claimed responsibility, who uses the alias pompompurin, outlined how they were able to make use of the coding flaws in the LEEP portal, which they described as, “a horrible thing to [see] on any website.” The FBI has since clarified that while pompompurin was able to send an email through the FBI system, they were not able to compromise any FBI data or access the FBI’s servers. 

United States tightens restrictions on Huawei and ZTE 

President Joe Biden signed the Secure Equipment Act of 2021 into law earlier this week in an additional defeat for Chinese technology giants ZTE and Huawei. The bill closes a loophole in U.S. sanctions against Chinese network service providers from selling equipment in the United States. The bill mandates that the Federal Communications Commission (FCC) must revoke the equipment authorizations for both Huawei and ZTE preventing them from selling equipment in the United States, whereas before they were only prohibited from providing equipment in federally-funded projects. The FCC has already authorized a $1.9 billion program to remove and replace equipment from Huawei and ZTE across the United States. China has been critical of the crackdown, but the bill was immensely popular in both the Senate and House, where it passed unanimously and by a 420-4 vote, respectively. 

Cyberspace Administration of China (CAC) draft subjects Hong Kong IPOs to cybersecurity review 

On November 14, the Cyberspace Administration of China (CAC) issued a draft of new cyber data security rules governing how companies process, store, secure, and transfer data abroad. Notably, Beijing will for the first time subject companies listing in Hong Kong to mandatory cybersecurity review if they “handle data that concerns national security.” The draft also imposes regulatory requirements on firms with over 100 million daily active users, as well as firms pursuing overseas expansion. Open for public comment until December 13, the CAC’s draft, along with the Data Security Law and Personal Information Protection Law, illustrate a pattern of increasingly restrictive data governance in China. 

Israel and United States announce joint task force on cybersecurity 

The United States and Israel announced a joint task force focused on ransomware on November 15. The task force comes after a series of meetings between high level officials in the U.S. Treasury Department and their Israeli counterparts. The task force will facilitate a series of expert technical exchanges between the two countries and could lead to large-scale exercises centered around the global financial system. Both Israel and the United States are dealing with the rising threat of Iranian malware, and the United States has recently detected an Iranian ransomware campaign directed against its critical infrastructure. This joint task force will likely facilitate closer ties between two nations who already collaborate extensively on cybersecurity. 

Facebook/Meta sued by Ohio Attorney General and pension fund for securities fraud  

Meta, formerly known as Facebook, saw its public relations crisis worsen this week, as Ohio Attorney General Dave Yost filed a lawsuit on behalf of the Ohio Public Employees Retirement System (OPERS). The lawsuit contends that Meta violated federal securities laws by "purposely misleading the public about the negative effects its products have on the health and well-being of children.” Facebook whistleblower Francis Haugen testified in early October that Meta knew of the negative impacts of its platforms, especially Instagram, had on the mental health of teenage girls, but omitted those conclusions from public statements. The lawsuit alleges that Meta’s failure to disclose its internal research into the negative impacts its platforms have on teen’s mental health led Meta’s stock to decline by $54.08 per share, causing significant losses for investors. The lawsuit seeks more than $100 billion in damages from Meta and would also require significant changes to reporting practices at Meta.