In this blog series, our Executive Director Ben Taylor highlights a selection of cybersecurity, physical security, health or natural threat related stories relevant to the cannabis industry.


Ontario Cannabis Store Data Breach Raises Credibility, Security Concerns

The credibility of the government-run Ontario Cannabis Store is at stake after sensitive industry data was misappropriated and leaked, according to experts. The Ontario Provincial Police (OPP) confirmed it opened an investigation earlier this month into what the OCS alleges is the theft of the business data. The data includes individual cannabis retailers’ sales, their inventory levels and other sensitive information such as store license number and the amount of kilograms and packaged units sold for at least the months of December 2021 and January 2022.

Data security is a key part to any successful business. This blog from LoginRadius highlights 9 data security best practices which are:

  1. Identify sensitive data and classify it.
  2. Data usage policy is a must-have.
  3. Monitor access to sensitive data.
  4. Safeguard data physically.
  5. Use endpoint security systems to protect your data.
  6. Document your cybersecurity policies.
  7. Implement a risk-based approach to security.
  8. Train your employees.
  9. Use multi-factor authentication.
CISA and Interagency Partners Publish Joint Cybersecurity Advisory on Karakurt Data Extortion Group

The following was shared by CISA earlier this week and is TLP:WHITE; meant for broadest distribution. In partnership with the FBI, Treasury, and FinCEN, CISA published a joint Cybersecurity Advisory (CSA) with recommended actions and mitigations for organizations to take to protect against reported tactics, techniques, and procedures (TTPs) by Karakurt data extortion group that has been creating significant challenges for defense and mitigation.  

Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. As of May 2022, several terabytes worth of data purported to belong to victims across North America and Europe, along with several “press releases” naming victims who had not paid or cooperated, and instructions for participating in victim data “auctions” was reported to be contained on Karakurt operated website located in the deep web and on the dark web.  

During reconnaissance, Karakurt actors appear to obtain access to victim devices, primarily, by purchasing stolen login credentials. They can also obtain access to already compromised victims from cooperating partners in the cybercrime community or buying access to already compromised victims via third-party intrusion broker networks.  

Actions that organizational leaders and network administrators can take today to mitigate cyber threats from ransomware include prioritizing patching known exploited vulnerabilities, training users to recognize and report phishing attempts, and enforcing multi-factor authentication (MFA). More recommended mitigations include: 

  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location. 
  • Implement network segmentation and maintain offline backups of data to ensure limited interruption to the organization. 
  • Regularly back up data and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides. 
  • Install and regularly update antivirus software on all hosts and enable real time detection. 
  • Review domain controllers, servers, workstations, and active directories for new or unrecognized accounts.    

Organizations are encouraged to review the advisory for all the details on the Karakurtactors, associated indicators of compromise, malicious behavior mapped to MITRE ATT&CK, and agency resources available to all organizations.  

2022 Human Factor Report: Year of Headline-Making Attacks

Drawing on insights and data from their products and researchers, this report from Proofpoint tells the story of a year when cybersecurity jumped from the tech page to the front page. The report explores all of this from a people-centric point of view, looking at the lures attackers used to bypass defenses and persuade victims to download or click on something they shouldn’t. The threats Proofpoint detected, mitigated and resolved for their customers in 2021 are the core of their analysis. As attackers continue to probe for new access points, they have expanded coverage of mobile and cloud threats. While big targets and big ransoms made headlines, perennial threats like business email compromise (BEC) often carried the biggest costs. After a year like 2021, it’s worth noting that for most defenders, it’s the stress of hijacked invoices and financially motivated malware that fills their days, not state-sponsored attacks.

Key findings from this year’s Human Factor include:

  • More than 20 million messages tried to deliver malware linked to eventual ransomware attack.
  • Over 80% of businesses are attacked by a compromised supplier account in any given month.
  • Attackers attempt over 100,000 telephone-oriented attacks every day.
  • SMS-based phishing attempts doubled in the U.S. year over year.
  • Managers and executives make up only 10% of users, but almost 50% of the most severe attack risk in our data.

Physical Security

Cannabis Businesses Seek Help From City With Money For Security

Oakland businesses are looking to utilize state grant funding from the California Department of Cannabis Control to help boost security. Oakland has earmarked $1.7 million of the $9.9 million “to help cannabis businesses meet security requirements,” according to City of Oakland spokesperson Harry Hamilton. The city also received $5.4 million in grant money from the state “and a portion will be used to provide a series of security workshops for cannabis businesses,” Hamilton said.

FBI: Mass Shootings Underscore Increasing Threat from Lone Actors

FBI Director Christopher Wray said recent mass shootings underscore the increasing threat from lone actors who may be difficult to detect and stop in the planning phases and may ascribe to a “weird hodgepodge” of ideologies rather than commit acts of violence in furtherance of a defined extremist movement. In previous briefs to RE-ISAC members and as referenced in a number of our reports, this is sometimes referred to as “salad bar terrorism.” “The range of criminal, cyber, and counterintelligence threats we face as a nation has never been greater or more diverse, and the demands and expectations placed on the FBI have never been higher,” Wray told the Senate Appropriations on Commerce, Justice, Science, and Related Agencies during a Wednesday hearing to discuss the FBI’s budget request.

Wray said the FBI’s domestic terrorism caseload really began climbing “over the last few years — and this really started, I would say, in summer of 2019, and kind of has just continued since then — we have, I think, more than doubled our domestic terrorism caseload.”

According to statistics reported to the FBI for 2021, 8,226 law enforcement agencies submitted use-of-force data to the National Use-of-Force Data Collection, which is managed by the FBI’s Uniform Crime Reporting (UCR) Program. These agencies represent more than 60% of all federal, state, local, tribal, and college/university sworn officers. Data regarding these use-of-force incidents were released today on the FBI’s Law Enforcement Data Explorer.

RAND researchers created this Mass Attacks Defense Toolkit to advance efforts to prevent and reduce intentional, interpersonal firearm violence and public mass attacks in the United States. The goal of this tool is to provide practical strategies and guidance on deterring, mitigating, and responding to mass attacks for a variety of audiences, including public safety experts, practitioners, policymakers, community groups, and the general public.

What the Research Says about the State of Organized Retail Crime

Retail crime is receiving more attention than ever before, and most of the attention is focused on organized retail crime (ORC). The news media regularly reports on ORC, but policymakers are also interested in retail crime. In fact, the Loss Prevention Research Council (LPRC) has been receiving and responding to requests for information about ORC from legislators’ offices and staffers, trade organizations, and others like never before.

Homeland Security Investigations (HSI) and the Association of Certified Anti-Money Laundering Specialists (ACAMS) have formed a partnership and published a report to help combat organized retail crime, the large-scale theft of retail merchandise with the intent to resell items for financial gain, which has become an increased threat to public safety and economy. The report – Detecting and Reporting the Illicit Financial Flows Tied to Organized Theft Groups and Organized Retail Crime – highlights red flags associated with organized theft groups, including structured deposits and withdrawals, large purchases of stored-value cards, high-dollar wire transfers tied to wholesale companies involved with health and beauty supplies, and large purchases of lighter fluid or heat guns, among others. Access the PDF report.

Texas Man Wanting to go ‘Human Hunting’ Arrested for Terroristic Threat

As mass shootings continue to be a regular occurrence across the U.S., it is important to prepare staff to stay vigilant to possible suspicious activity, and if they “See Something, Say Something.” In Texas there was a good example of the value in bystander intervention when an individual who reported wanting to go “human hunting” during the purchase of a firearm optic was reported by the seller. A search of the individual’s home uncovered several handguns, extended magazines, long rifles, a bulletproof vest (no armor plates), and hundreds of rounds of ammunition.

Natural Events

Tropical Storm Warnings for South Florida

Tropical storm warnings have been issued across the southern half of the Florida Peninsula and the Keys ahead of the likely formation of a Gulf tropical storm that will bring heavy rain and gusty winds to those areas into the weekend. An area of low pressure located more than 400 miles southwest of Fort Myers, Florida, is producing clusters of showers and thunderstorms right now. Moisture from this system is streaming well to its northeast, resulting in rainfall across South Florida.The National Hurricane Center (NHC) has dubbed this system “Potential Tropical Cyclone One,” a procedure allowing the NHC to issue advisories, watches and warnings for a system that hasn’t yet developed but poses a threat of tropical-storm-force winds to land areas within 48 hours.

A tropical disturbance is forecast to slowly strengthen to a tropical storm by Friday evening and move across the southern half of the Florida Peninsula on Saturday and return to the Atlantic Ocean by Sunday. Heavy rain will begin to affect portions of Central Florida, South Florida, and the Florida Keys today and continue through Saturday. Considerable flash and urban flooding are possible across South Florida and in the Keys. Therefore, the WPC has issued a Moderate Risk of excessive rainfall over the southern tip of Florida through Saturday morning. The associated heavy rain will create numerous areas of flash flooding. Furthermore, many streams may flood, potentially affecting larger rivers.

In addition, Colorado State University’s (CSU) Tropical Meteorology Project has slightly increased the number of storms we can expect in the busy season ahead. CSU’s updated outlook calls for 20 named storms, 10 of which become hurricanes and 5 of which reach Category 3 status or stronger.

Last year we published a blog in our Library Card Series which provides the cannabis industry resources on how to best prepare for hurricane season.

Check out the latest blog highlighting issues important to cannabis security!