In this blog series, our Executive Director Ben Taylor highlights a selection of cybersecurity, physical security, health or natural threat related stories relevant to the cannabis industry.


Lawsuits ‘100%’ Incoming for OCR After Data Breach

Following last week’s news of an Ontario Cannabis Store data breach, cannabis retailer Jennawae McLean, the founder and CEO of eastern Ontario’s Calyx + Trichomes stores, warned that a lawsuit is coming. “For sure there’s going to be some sort of lawsuit brought forward, 100%,” McLean told MJBizDaily, adding that she and 50 other independent store operators have been reviewing the details of what happened alongside her lawyer. “I hope that infrastructure is put into place so this is avoided in the future, because this is not something that we should, as a private sector, be dealing with when we’re dealing with a government entity – we should be able to trust that our data is being taken care of.”

Ransomware Payments Spike

A group of top cyber experts released a task force report one year ago laying out 48 detailed recommendations to combat the scourge of ransomware attacks. One year later, they’re wrestling with the fact the damage caused by ransomware, in which hackers lock up victims’ computers and demand payment to unlock them, is likely as high as ever. Ransomware payments by victims spiked 70 percent in 2021 over the previous year’s levels.

Meanwhile, the notorious Conti ransomware gang has officially shut down their operation, with infrastructure taken offline and team leaders told that the brand is no more. This news comes from Advanced Intel’s Yelisey Boguslavskiy, who tweeted yesterday that the gang’s internal infrastructure was turned off. While public-facing “Conti News” data leak and the ransom negotiation sites are still online, Boguslavskiy told BleepingComputer that the Tor admin panels used by members to perform negotiations and publish “news” on their data leak site are now offline.

While it may seem strange for Conti to shut down in the middle of their information war with Costa Rica, Boguslavskiy tells Bleeping Computer  that Conti conducted this very public attack to create a facade of a live operation while the Conti members slowly migrated to other, smaller ransomware operations.

While the Conti ransomware brand is no more, the cybercrime syndicate will continue to play a significant role in the ransomware industry for a long time to come. Boguslavskiy told BleepingComputer that instead of rebranding as another large ransomware operation, the Conti leadership has instead partnered with other smaller ransomware gangs to conduct attacks. Under this partnership, the smaller ransomware gangs gain an influx of experienced Conti pentesters, negotiators, and operators. The Conti cybercrime syndicate gains mobility and greater evasion of law enforcement by splitting into smaller “cells,” all managed by central leadership. A more complete report from AdvIntel is expected today.

Finally on the ransomware front, Goup-IB has released their third annual Ransonware Uncovered report for 2021-2022. The full report can be found here. Among the findings are those that echo was was reported by the Washington Post in that ransom demands are on the rise. Since the publication of the Ransomware Uncovered 2020/2021 report, the average ransom amount increased by 45% to reach $247,000 in 2021, while the highest demand was $240,000,000 (compared to $30,000,000 in 2020).

CISA Releases Analysis of FY21 Risk and Vulnerability Assessments

The Cybersecurity & Infrastructure Security Agnecy (CISA) has released an analysis and infographic detailing the findings from the 112 Risk and Vulnerability Assessments (RVAs) conducted across multiple sectors in Fiscal Year 2021 (FY21).  The analysis details a sample attack path comprising 11 successive tactics, or steps, a cyber threat actor could take to compromise an organization with weaknesses that are representative of those CISA observed in FY21 RVAs. The infographic highlights the three most successful techniques for each tactic that the RVAs documented. Both the analysis and the infographic map threat actor behavior to the MITRE ATT&CK® framework. 

CISA encourages network defenders to review the analysis and infographic and apply the recommended mitigations to protect against the observed tactics and techniques. For information on CISA RVAs and additional services, visit the CISA Cyber Resource Hub.  

Threat Actors Chaining Unpatched VMWare Vulnerabilities for Full System Control

CISA is releasing this Cybersecurity Advisory (CSA) to warn organizations that malicious cyber actors, likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination. These vulnerabilities affect certain versions of VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. Exploiting these vulnerabilities permits malicious actors to trigger a server-side template injection that may result in remote code execution (RCE) (CVE-2022-22954) or escalation of privileges to root (CVE-2022-22960). 

VMware released updates for both vulnerabilities on April 6, 2022, and, according to a trusted third party, malicious cyber actors were able to reverse engineer the updates to develop an exploit within 48 hours and quickly began exploiting the disclosed vulnerabilities in unpatched devices. CISA was made aware of this exploit a week later and added CVE-2022-22954 and CVE-2022-22960 to its catalog of Known Exploited Vulnerabilities on April 14 and April 15, respectively. In accordance with Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies were required to apply updates for CVE-2022-22954 and CVE-2022-22960 by May 5, and May 6, 2022, respectively

Note: based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. In response, CISA has released, Emergency Directive (ED) 22-03 Mitigate VMware Vulnerabilities, which requires emergency action from Federal Civilian Executive Branch agencies to either immediately implement the updates in VMware Security Advisory VMSA-2022-0014 or remove the affected software from their network until the updates can be applied.

CISA has deployed an incident response team to a large organization where the threat actors exploited CVE-2022-22954. Additionally, CISA has received information—including indicators of compromise (IOCs)—about observed exploitation at multiple other large organizations from trusted third parties.

Physical Security

Cannabis Shop Owner Asks for Action as First-of-its-Kind Safety Taskforce Created in King Count

On Tuesday, the King County Council voted to create a Cannabis Safety Taskforce in response to an increase in armed robberies targeting cannabis businesses. The task force is a step toward addressing the issue, but some business owners say it’s already at a crisis level.

According to the Washington CannaBusiness Association, there have been roughly 70 reported robberies of marijuana businesses in the state of Washington since the beginning of 2022. Only two months ago an employee at a Tacoma pot shop was shot and killed during an armed robbery.  

The increase in violence is the reason the King County Council voted to create the Cannabis Safety Taskforce. Seven council members voted yes while two excused themselves from the vote.

The goal of the task force is to identify resources to help police and cannabis shops. The task force will be comprised of representatives from the King County Sheriff’s Office, the King County Prosecutor’s Office, members of the cannabis industry and community members.

One Person in Custody Following Mental Health Warrant, Ex-Employee’s Threats Prompt P&G Closure

The person who made threats against P&G was taken into custody at an apartment complex in Covington, Ohio Wednesday following a mental health warrant, according to police. A mental health warrant allows an individual or institution to say that someone has mental health issues and that they should be evaluated if they are deemed a danger to themselves or to others. The man taken into custody, a former P&G employee, prompted the closure of the company’s downtown Cincinnati offices after making multiple threats. The offices were reopened Thursday. Cincinnati police were contacted Tuesday night by Kenton County regarding information its investigators gathered about a potential security threat at the company’s downtown offices, according to a statement by Cincinnati police. At around 5:30 a.m. Wednesday, the company made the decision to close out of an abundance of caution.

Ohio State Highway Patrol said the department received an officer safety bulletin Wednesday morning from Cincinnati police about a P&G employee who was fired in 2021 for not coming back to work after working from home during COVID. He texted at least two employees about taking over the company, according to the safety bulletin.

On several occasions we have discussed the potential of pandemic-induced stresses being more likely to lead employees down the pathway to violence. Returning to offices, whether an employee is forced to against their will, or ends up losing employment due to an unwillingness to return, can be a trigger moment to operationalize some of the built up frustrations. Cannabis industry organizations are encouraged to review their protocols for identifying potential suspicious or dangerous activity from employees, it is important to identify those potential trigger moments or additional stressors that could help escalate situations, and ensure employees are trained both in reporting procedures, as well as de-escalation language to help prevent potential workplace violence incidents.

Natural Events

NOAA Predicts a Below-Normal 2022 Central Pacific Hurricane Season

There is a 60% chance of below-normal tropical cyclone activity during the Central Pacific hurricane season this year, according to NOAA’s Central Pacific Hurricane Center and NOAA’s Climate Prediction Center, divisions of the National Weather Service. The outlook also indicates a 30% chance for near-normal activity, and only a 10% chance of an above-normal season. For the season as a whole, 2 to 4 tropical cyclones are predicted for the Central Pacific hurricane region, which is located north of the equator between 140°W and the International Date Line. This number includes tropical depressions, named storms and hurricanes. A near-normal season has 4 or 5 tropical cyclones. 

“This year we are predicting less activity in the Central Pacific region compared to normal seasons,” said Matthew Rosencrans, NOAA’s lead seasonal hurricane forecaster at the Climate Prediction Center. “The ongoing La Niña is likely to cause strong vertical wind shear making it more difficult for hurricanes to develop or move into the Central Pacific Ocean.”  

Check out the latest blog highlighting issues important to cannabis security!