In this blog series, our Executive Director Ben Taylor highlights a selection of cybersecurity, physical security, health or natural threat related stories relevant to the cannabis industry.


Cannabis MSO Shares Cyber Threat Report

A member of our information sharing community has recently shared a TLP:GREEN report on our free Slack Workspace which identifies a cyber adversary which is actively trying to exploit the cannabis industry. If you would like access to the workspace to view the full report, please visit the Get Involved section of our website. In summary, the report contains Indicators of Compromise (IOCs) of a phishing group this organization have been tracking which they have dubbed “Green Envy” as they have been unable to associate any of the IOC’s discovered to known threat groups. While the organization appears to have a lot of interest in targeting the cannabis industry, there has also been . We’re sharing this in hopes other organizations protect themselves and look out for potential activity. This actor is known for spoofing legitimate orgs in their emails. A TLP:WHITE version of the report can be seen here, while an accompanying TLP:WHITE phishing spreadsheet can be seen here.

Shields Up: U.S. Officials Preparing for Potential Russian Cyberattacks

Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly sat down for an interview with 60 Minutes’ Bill Whitaker to discuss the agency’s role in bolstering the nation’s cybersecurity and why every organization – large and small – should have their shields up to cyber threats. 

Easterly discussed CISA’s Shields Up campaign and dedicated website, which has resources and latest guidance on actions organizations can take to safeguard their networks in light of the evolving intelligence that the Russian Government is exploring options to potentially conduct cyberattacks against the United States. 

The entire segment is available online here. An underlying theme of the interview was that organizations need to prepare, not panic.

The cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom are releasing this joint Cybersecurity Advisory (CSA) with the intent to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity. This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States and U.S. allies and partners. The full PDF of the alert can be viewed here.

Social Networks Most Likely to be Imitated by Criminal Groups

Check Point Research issued its Q1 Brand Phishing Report, highlighting the brands that hackers most often imitate to lure people into giving up their personal data. Social media networks have now overtaken shipping, retail and technology as the category most likely to be targeted by criminal groups. So far this year, LinkedIn has been related to more than half (52%) of all phishing-related attacks globally, marking the first time the social media network has reached the top of rankings. It represents a dramatic 44% uplift from the previous quarter, when LinkedIn was in fifth position and related to only 8% of phishing attempts. LinkedIn has now overtaken DHL as the most targeted brand, which has now fallen to second position and accounted for 14% of all phishing attempts during the quarter.

This latest report highlights an emerging trend toward threat actors leveraging social networks, now the number one targeted category ahead of shipping companies and technology giants such as Google, Microsoft and Apple. As well as LinkedIn being the most targeted brand by a considerable margin, WhatsApp maintained its position in the top ten, accounting for almost 1 in 20 phishing-related attacks worldwide. The report highlights a particular example where LinkedIn users are contacted via an official-looking email in an attempt to lure them to click on a malicious link. Once there, users would be again prompted to log-in via a fake portal where their credentials would be harvested.

Known Exploited Vulnerabilities

Our colleagues at the Real Estate ISAC recently published a TLP:AMBER report about CISA’s Known Exploited Vulnerabilities (KEV) catalogue. That report has been posted to our Slack Workspace which is free for industry personnel to access. If you would like access, please visit the Get Involved section of our website. In brief, the report discusses how known vulnerabilities are one of the most dangerous threats facing organizations, which are constantly on guard against threat actors looking for any opening to exploit. The current geopolitical crisis in Ukraine only further highlights the risk. To counter this enduring challenge, CISA continues to update the KEV. The KEV is updated when a vulnerability has an assigned Common Vulnerabilities and Exposures (CVE) ID, there is reliable evidence that the vulnerability has been actively exploited in the wild, or there is a clear remediation action for the vulnerability, such as a vendor provided update. Knowing this information is key component of an effective patch management process, which is a highly recommended process for all organizations, big or small, as statistics still show that a high number of cyber attacks are carried out against vulnerabilities known but not acted upon. Establishing a patch management process using the KEV as a baseline is an effective strategy moving forward.

BlackCat/ALPHV Ransomware Indicators of Compromise

This FLASH is part of a series of FBI reports to disseminate known indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) associated with ransomware variants identified through FBI investigations. As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing. BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero but have accepted ransom payments below the initial ransom demand amount. Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations.

Physical Security

Violent Robberies at Pot Shops Fuel New Efforts for Federal Marijuana Banking Reform

A surge in robberies at licensed cannabis shops — including a pistol-whipping, gunshots and killings in Washington state last month — is helping fuel a renewed push for federal banking reforms that would make the cash-dependent stores a less appealing target.

“It makes absolutely no sense that legal businesses are being forced to operate entirely in cash, and it’s dangerous — and sometimes even fatal — for employees behind the register,” Washington Sen. Patty Murray, the third-ranking Democrat in the Senate, said in a statement emailed to The Associated Press.

While dispensaries are frequent targets for robberies, the spate in Washington is helping drive the national conversation about banking reform. Last month, a suspect shot and killed an employee at a cannabis store in Tacoma; an ID checker shot and killed a robber in Covington; Seattle police shot and killed a suspect following a robbery in Bellevue; and a robber pistol-whipped a worker at an Everett shop.

The Cannabis ISAO will soon be releasing our Q1 2022 Incident Snapshot to identify robbery trends in the industry. This report is informed through open source information, and will be more useful the more data is input into the system. If you are a cannabis operator and have an incident at your facility, consider reporting it through our Incident Reporting form on our website. All information in anonymized in the final report.

Additional cannabis robbery-related headlines include:

Trends in Surveillance Cameras

Surveillance cameras, which have been around for years, provide a number of benefits to protect facilities. Over the years, these devices have become increasingly advanced in their capabilities, and their use has grown considerably. Among the new developments are the rise in digital cameras, the growing popularity of audio features, the addition of AI and analytics features, as well as the introduction of Zero Trust Policies.

Natural Events

Strong Storm to Bring Fire Weather, Heavy Snow, and Severe Thunderstorms to Central U.S. into the Weekend

Dry air and gusty winds are expected to bring very dangerous wildfire-spread conditions from the western Central Plains into the Southwest. Heavy snow, strong winds, and freezing rain will impact travel across the northern Plains into Sunday. Severe thunderstorms are expected to produce all severe hazards across parts of the Great Plains into Upper Midwest.

A powerful and dynamic April storm system is expected to impact the central U.S. today and produce a plethora of weather hazards stretching the entire length of the Great Plains. The catalyst for this system is a potent negatively tilted upper-level trough that is currently entering the West Coast and expected to rapidly strengthen into a closed upper-level low over the northern High Plains on Saturday. At the surface, an area of low pressure is forecast to develop and strengthen over the High Plains near far western Nebraska by this evening. Meanwhile, precipitation will blossom to the north and west of the low pressure center tonight, which will help draw much colder air from the mid-levels down to surface. A quick changeover from rain to snow will commence across parts of northeast Wyoming and eastern Montana into Sunday morning, with heavy snow expanding into the western Dakotas by Saturday afternoon. Gusty winds as high as 75 mph will combine with heavy snowfall rates to create low visibilities and blizzard conditions. Travel will be very difficult to impossible at times, with power outages and tree damage also expected. Total snowfall amounts by the time the storm exits on Sunday are forecast to exceed 1 foot across northeast Wyoming, eastern Montana, western North Dakota, and northwest South Dakota. Parts of the higher terrain of the northern/central Rockies, extending into southwest Montana, western Wyoming, Utah, and western Colorado could also see snowfall totals over a foot.

On the warm side of the system, a dry line and approaching Pacific cold front will be the trigger for developing thunderstorms throughout the Great Plains late this afternoon. Several storms could turn severe and produce damaging wind gusts, large hail, and tornadoes. The greatest chances for severe weather today extends from central Nebraska through western Kansas into the Oklahoma and Texas panhandles. It is this region where the Storm Prediction Center (SPC) has highlighted an Enhanced Risk (level 3/5) of severe thunderstorms. As the cold front progresses eastward on Saturday, the severe weather threat will shift into the Upper Midwest and stretch southwestward into the southern Plains. SPC has issued a Slight Risk (level 2/5) of severe weather from Minnesota to central Oklahoma for the start of the weekend. Heavy rain is also a potential hazard to contend with as thunderstorms develop and lead to scattered instances of flash flooding.

Check out the latest blog highlighting issues important to cannabis security!