Cannabis ISAO Director's Cut: March 25

In this blog series, our Executive Director Ben Taylor highlights a selection of cybersecurity, physical security, health or natural threat related stories relevant to the cannabis industry.

Cybersecurity

Cannabis MSO Identifies Suspicious Network Activity

Earlier this week, a cannabis MSO reached out to the ISAO to inform us of suspicious activity they were seeing within their network. According to the MSO, threat actor have registered typosquat domains, or domains which are purposely made to look like those controlled by legitimate businesses, created email addresses with those domains and have been sending out emails mimicking the staff of the MSO in order to scam those email recipients into closing business sensitive information or fraudulently transferring funds. This operation moves quickly, and the MSO is seeing emails sent on the same day that the fake domains were registered. From what MSOs investigation the email traffic appears to be targeting smaller capacity cannabis dispensaries, as well as companies who are making payments to other cannabis companies.

It is important to inform staff of these type of scams which could easily impact any organization within the cannabis industry. Suspicious activity that individuals should look for when receiving unexpected emails:

Email addresses with domain names that aren’t a 100% match with those from normal email traffic.
Poor sentence structure or grammar in the body of the email.
An email signature block that appears to be a pasted in screenshot.
A sense of urgency in what is being asked within the email.
Requests for checks to be sent to residential addresses.

A cybersecurity researcher has offered to Cannabis ISAO to scan industry domains to identify if possible typo squat domains have been created which resemble legitimate industry domains. Any organizations which would like to be added to this list should email Cannabis ISAO Executive Director Ben Taylor (ben@cannabisisao.org)

Authentication Firm Okta Probes Report of Digital Breach

Okta Inc, whose authentication services are used by companies including Fedex and Moody’s to provide access to their networks, is investigating a report of a digital breach after hackers posted screenshots of what they said was internal information. The scope of the hack is unknown, but it could have major consequences because thousands of companies rely on San Francisco-based Okta to manage access to their networks and applications. In a statement, Okta official Chris Hollis said the hack could be related to an earlier incident in January, which he said was contained. Okta had detected an attempt to compromise the account of a third-party customer support engineer at the time, said Hollis.

FBI Releases the Internet Crime Complaint Center 2021 Internet Crime Report

The FBI’s Internet Crime Complaint Center (IC3) has released its annual report. The 2021 Internet Crime Report includes information from 847,376 complaints of suspected internet crime—a 7% increase from 2020—and reported losses exceeding $6.9 billion. State-specific statistics have also been released and can be found within the 2021 Internet Crime Report and in the accompanying 2021 State Reports. The top three cyber crimes reported by victims in 2021 were phishing scams, non-payment/non-delivery scams, and personal data breach. Victims lost the most money to business email compromise scams, investment fraud, and romance and confidence schemes.

In addition to statistics, the IC3’s 2021 Internet Crime Report contains information about the most prevalent internet scams affecting the public and offers guidance for prevention and protection. It also highlights the FBI’s work combatting internet crime, including recent case examples. Finally, the 2021 Internet Crime Report explains the IC3, its mission, and functions.

CISA Holds Call with Critical Infrastructure Partners on Potential Russian Cyberattacks Against the United States

Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA) convened a three-hour call with over 13,000 industry stakeholders to provide an update on the potential for Russian cyberattacks against the U.S. homeland and answer questions from a range of stakeholders across the nation. If you missed the call, it can be viewed in full here.

CISA Director Jen Easterly, Deputy Executive Assistant Director for Cybersecurity Matt Hartman, and Tonya Ugoretz, Deputy Assistant Director for the FBI’s cyber division, encouraged organizations of all sizes to have their Shields Up to cyber threats and take proactive measures now to mitigate risk to their networks. They encouraged those on the line to visit CISA.gov/Shields-Up to take action to protect their organizations and themselves and urged all critical infrastructure providers to implement the mitigation guidelines enumerated on CISA.gov/Shields-Up, including:

Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system;
Update the software on your computers and devices to continuously look for and mitigate threats;
Back up your data and ensure you have offline backups beyond the reach of malicious actors;
Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack;
Encrypt your data;
Sign up for CISA’s free cyber hygiene services; and
Educate your employees to common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly.

DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction

In recent weeks, Microsoft Security teams have been actively tracking a large-scale social engineering and extortion campaign against multiple organizations with some seeing evidence of destructive elements. As this campaign has accelerated, their teams have been focused on detection, customer notifications, threat intelligence briefings, and sharing with industry collaboration partners to understand the actor’s tactics and targets.

The observed activity has been attributed to a threat group that Microsoft tracks as DEV-0537, also known as LAPSUS$. DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads. DEV-0537 started targeting organizations in the United Kingdom and South America but expanded to global targets, including organizations in government, technology, telecom, media, retail, and healthcare sectors. DEV-0537 is also known to take over individual user accounts at cryptocurrency exchanges to drain cryptocurrency holdings.

Okta’s chief security officer, David Bradbury, said in a webinar Wednesday that it only received a full forensic report from Sitel on Monday, having been initially warned in January about a potential breach. He admitted, however, that Okta received a summary report last week about the hack, and that the company should have moved quicker to act on those initial findings. The report revealed that a hacker had gained access to a Sitel technician’s computer via a remote desk protocol (RDP).

What the hack showed is how outsourcing technical support presents a risk to any company and its customers’ data. While a company can outsource its employee functions, it can’t outsource the risk and reputational damage when things go awry at the contractor. And that’s a factor that the LAPSUS$ crew, which often demands payment from victims to stop it from leaking data, has been exploiting in earnest. Related:

Physical Security

WA Pot Shop Robberies Have Turned Deadly. It Will Keep Happening Until Congress Acts

In the wake of a deadly spate of armed robberies at three cannabis retail stores which resulted in three deaths within four days, the Liquor and Cannabis Board (LCB) will next week host an online roundtable to discuss safety at cannabis retailers. The LCB will meet with cannabis retailers, elected officials, national SAFE Banking Act advocates, and others to discuss this urgent safety crisis.

The roundtable panel will include: Michael Correia, Director of Govt. Affairs for the National Cannabis Industry Association; State Treasurer Mike Pellicciotti; Sen. Karen Keiser; cannabis retailer; and Enforcement and Education Division Director Chandra Brady. The panel will be facilitated by LCB Chair David Postman.

The tragic events of the last week and the escalation of armed robberies over the last several months have demonstrated the urgent need for Congress to act. The lack of banking services has become a catalyst for a very real public safety crisis in WashingtonState. Due to their forced reliance on cash transactions, cannabis retailers have increasingly become targets for armed robbers.

Thus far in 2022, reports show that there have been over 50 robberies of cannabis businesses, many of them armed, in Washington State. This surpasses the number of robberies in all of 2021.

“The only way we get cash — to the level that it is — out of the cannabis stores is by passage of the SAFE Banking Act,” Christophersen said, telling The News Tribune that pot-shop thieves can often make off with tens of thousands of dollars for their efforts. “Until we deal with this cash issue, it’s going to continue to be a real problem.”

Event Details

Tuesday, March 29, 2022 — 10:00 – 11:00 a.m.
Join on your computer or mobile app
- Click here to join the meeting
Or call in (audio only)
- +1 564-999-2000,,168726506# United States, Olympia
- Phone Conference ID: 168 726 506#

Please join the LCB Board and staff for this important, timely discussion. The listen- and view-only event will include:

Perspectives from Michael Correia on national conversations on the SAFE Banking Act;
Updates from Treasurer Pellicciotti on his recent lobbying efforts in D.C. to urge Congress to pass the federal SAFE Banking Act;
Keiser’s efforts as Chair of the Senate Labor, Commerce and Tribal Affairs Committee work to enact retail safety measures in the state legislature;
First-hand experiences and insights of retailers; and
LCB Enforcement and Education Division experiences and insights.

Police Link Rash of New England Cannabis Facility Burglaries

Police have linked a rash of burglaries targeting New England cannabis dispensaries to a trio of suspects in Massachusetts, according to a report from the Portland Press Herald. Law enforcement officers say that a man from New Bedford, Massachusetts and two brothers from Boston are suspected in the string of burglaries of licensed cannabis enterprises going back to 2020.

Police began connecting the crimes after a burglary at a cannabis grower in Gorham, Maine in October of last year. In that caper, three individuals wearing face coverings, hats and long sleeves cut their way through an exterior wall of the business located in an industrial park while a fourth person stood watch outside. The three burglars inside the building moved cautiously from room to room, trying to avoid detection by motion sensors. When the team finally left a couple of hours later, they took 30 pounds of cannabis and 500 THC vape cartridges with them.

During their investigation, police reviewed video from the cannabis cultivator’s security cameras. One camera caught the image of the Massachusetts license plate of a pickup truck that entered the parking lot two hours before the crime. And inside the building, one of the camera’s microphones recorded the burglars talking to one another.

Check out the latest blog highlighting issues important to cannabis security!
Tweet

On March 24, 2022