In this blog series, our Executive Director Ben Taylor highlights a selection of cybersecurity, physical security, health or natural threat related stories relevant to the cannabis industry.

Physical Security

Video Shows Another Violent Assault, Robbery at Washington Pot Shop

Police say two suspects carried out the armed robbery at another Puget Sound, Washington cannabis dispensary, striking a female worker in the video at least twice in the face with their gun. They then turned the weapon on the male in the footage, demanding that they open the safe. This is at least the 6th marijuana business robbery in the last week, part of a disturbing new spike in crime targeting these cash heavy businesses. Since November, Washington marijuana businesses are getting robbed at a rate of one every 2.5 days. The Washington State Liquor and Cannabis Control Board recently released a Retail Cannabis Safety Bulletin with safety considerations for dispensaries.

The Cannabis ISAO will be releases details on Monday, February 14 about an upcoming Virtual Town Hall which will bring together industry veterans along with local law enforcement to discuss security in the industry.

Additional reported dispensary robbery events this week include:

Marijuana Enforcement Division Releases Fraud Warning Flyer

Colorado’s Marijuana Enforcement Division has created this fraud warning flyer as a tool for owners and managers to use as a reminder to all employees about how to protect themselves from becoming a fraud target. While the MED covers Colorado businesses, the indicators of fraud that are identified in their June 2021 Industry Fraud Bulletin can be useful reminders to all in the industry.

Canadian Mayor Says Michigan Gov. Whitmer Offered Heavy Equipment to Move Trucks Off Bridge Blocked by ‘Freedom Convoy’

The Ambassador Bridge is a key border between the U.S. and Canada currently occupied by convoy truckers in protest of Canada’s COVID-19 mandates. The protest, called the Freedom Convoy, began in Ottawa and has since gone international. Whitmer released a statement Thursday morning urging Canada to “quickly resolve the ongoing Ambassador Bridge closure and its impacts on the Michigan’s economy, including key sectors like autos, agriculture, manufacturing, and more.” Windsor, Ontario’s Mayor Drew Dilkens has stated that “we can’t just let this lawlessness continue to happen” and is seeking an injunction to give police the authority to begin removing protestors. The bridge carries 25% of all trade between Canada and the United States.

In response to growing concern that a similar protest may be launched in the U.S., the Department of Homeland Security (DHS) has released an (U//FOUO) Public Safety Situational Awareness Notification related to a potential convoy, which we have shared in our free to join Cannabis ISAO Slack Workspace. More information about that notice can also see via this article on The Hill. The Notification acknowledges that while there has been widespread civil disruptions and nuisances and some “mischief to property”, the protests have been widely nonviolent.

According to investigative journalist Justin Ling, a conference call was held Thursday evening to finalize logistics of a Freedom Convoy from California to D.C. The plan is to travel down I-10, the southernmost cross-country highway in the U.S. until presumably heading up I-95 along the east coast towards D.C

Secret Service Arrests Home Depot Employee for Passing $387,500 in Counterfeit Currency

United States Secret Service (USSS) agents arrested Tempe Home Depot employee Adrian Jean Pineda for passing $387,500 in counterfeit U.S. currency. Pineda will appear in federal court in Phoenix for violation of 18 USC 472 – Uttering of Counterfeit U.S. Currency.  USSS agents from the Phoenix Field Office arrested Pineda at the Home Depot in Tempe. Pineda was a vault associate with Home Depot responsible for preparing cash from registers for bank deposits, a process that included counting cash and sealing cash bags for transfer and deposit to Wells Fargo Bank.  

Considering the amount of cash that cannabis businesses currently have to handle, monitoring stories like this are important for maintaining awareness of the threats that insiders can pose to our organizations. The National Association of Cannabis Businesses is expected to release their cash management standards soon, which will be a valuable document for all to review and consider any needed changes to their organizational cash management procedures.

ICYMI. CISA Active Shooter Preparedness Webinar Schedule

The Cybersecurity and Infrastructure Security Agency (CISA) invites you to join a two-hour security webinar to enhance awareness of and response to an active shooter event. Preparing employees for a potential active shooter incident is an integral component of an organization’s incident response planning. Because active shooter incidents are unpredictable and evolve quickly, preparing for and knowing what to do in an active shooter situation can be the difference between life and death. Every second counts. Upcoming sessions that still have open availability include:

  • Region 4- Tuesday 08 Feb.
  • Region 6- Tuesday 15 Feb.
  • Region 1- Wednesday 16 Feb.
  • Region 5- Thursday 17 Feb.
  • Region 2- Tuesday 01 Mar.
  • Region 2- Wednesday 02 Mar.
  • Region 3- Thursday 10 Mar.


2021 Trends Show Increased Globalized Threat of Ransomware

Cybersecurity authorities in the United States, Australia, and the United Kingdom assess that if the ransomware criminal business model continues to yield financial returns for ransomware actors, ransomware incidents will become more frequent. Every time a ransom is paid, it confirms the viability and financial attractiveness of the ransomware criminal business model. Additionally, cybersecurity authorities in the United States, Australia, and the United Kingdom note that the criminal business model often complicates attribution because there are complex networks of developers, affiliates, and freelancers; it is often difficult to identify conclusively the actors behind a ransomware incident.

The advisory titled “2021 Trends Show Increased Globalized Threat of Ransomware” outlines top trends seen across three nations including:  

  • Cybercriminals are increasingly gaining access to networks via phishing, stolen Remote Desktop Protocols (RDP) credentials or brute force, and exploiting software vulnerabilities. 
  • The market for ransomware became increasingly “professional” and there has been an increase in cybercriminal services-for-hire. 
  • More and more, ransomware groups are sharing victim information with each other, including access to victims’ networks. 
  • Cybercriminal are diversifying their approaches extorting money. 
  • Ransomware groups are having an increasing impact thanks to approaches targeting the cloud, managed service providers, industrial processes and the software supply chain. 
  • Ransomware groups are increasingly targeting organizations on holidays and weekends. 

The advisory also includes a list of actions organizations can take to secure their environment with links to additional resources.

Internet Crime Complaint Center (IC3) – LockBit 2.0 Ransomware Indicators

LockBit 2.0 operates as an affiliate-based Ransomware-as-a-Service (RaaS) and employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. LockBit 2.0 ransomware compromises victim networks through a variety of techniques, including, but not limited to, purchased access, unpatched vulnerabilities, insider access, and zero day exploits. This FBI FLASH report helps network defenders better detect the presence of these threat actors in their system.

Retailers’ Offboarding Procedures Leave Potential Risks

In a new survey from Beyond Identity, 53% of employee respondents admitted using their access to harm their former employers, and 74% of business leaders reported suffering damages from former employees exploiting their digital access. One of the greatest cybersecurity risks that retailers face is temporary workers leaving the company with intellectual property or consumers’ personally identifiable information, says Brian Wrozek, vice president of corporate security, risk and compliance management, and physical security at Optiv.

“For the retailer, you have the issues of privacy regulations. They may be forced to disclose that client information is out there [and] is no longer being protected,” Wrozek says. “You also have potential contractual liabilities, depending on the information that may be on those USB drives. They may have contracts with their suppliers or their partners, and they may be in breach of those contracts as well.”

We have previously blogged about the very real risk that insiders can have to our organizations. As important as proper onboarding procedures are to ensure employees conduct themselves in a safe way, offboarding can be equally important to ensure unauthorized access is not allowed into systems with business sensitive information.

Wave of MageCart Attacks Target Hundreds of Outdated E-Commerce Sites

Last week Sansec detected a mass breach of over 500 stores running the Magento 1 ecommerce platform.  All stores were victim of a payment skimmer loaded from the domain. Sansec invited victims to reach out so they could d find a common point of entry and protect other merchants against a potential new attack. The first investigation is now completed: attackers used a clever combination of an SQL injection (SQLi) and PHP Object Injection (POI) attack to gain control of the Magento store.

Sansec’s subsequent investigation unveiled that the attackers abused a known vulnerability in the Quickview plugin to inject rogue Magento admin users that could then run code with the highest privileges. The abuse happens via adding a validation rule into the customer_eav_attribute table. This tricks the host app into crafting a malicious object, which is then used to create a simple backdoor (api_1.php). The validation rules for new customers are the clever part of the attack, as this triggers the payload to be injected into the sign-up page.

Natural Events

New Climate Tool Provides Blueprint for Retail Action

The Retail Industry Leaders Association (RILA) released a Climate Action Blueprint, which offers a clearinghouse of approaches for U.S.-based retail companies seeking a path to a net zero emissions future. The Blueprint was created with Schneider Electric and reviewed by a Steering Committee of RILA members and World Wildlife Fund (WWF). The intent of the Blueprint is to provide emissions reduction guidance applicable to any retail company’s strategy, regardless of where the company is on its decarbonization journey. These tactics are therefore not prescriptive, and each company’s approach will vary based on its unique business. 

The Tsunami Could Kill Thousands. Can They Build an Escape?

A major quake in the Pacific Northwest, expected sooner or later, will most likely create waves big enough to wipe out entire towns. Evacuation towers may be the only hope, if they ever get built. The Cascadia fault off the Pacific Northwest coast is poised for a massive, 9.0-magnitude earthquake at some point, scientists say, a rupture that would propel a wall of water across much of the Northwest coast within minutes. Low-lying coastal neighborhoods in Washington, Oregon and Northern California would be under 10 feet or more of water. Vertical evacuation structures have been embraced in Japan for years, in the form of platforms, towers and artificial berms. They became a refuge for many in the 2011 earthquake and tsunami, although that event still killed more than 19,000 people.

Cannabis businesses, particularly those near coastal regions of California, Oregon, Washington, and Canada are advised to review flood projections and evacuation routes in the event of a tsunami

Check out the latest blog highlighting security issues important to cannabis security!