Cannabis ISAO Director’s Cut: September 16

In this blog series, our Executive Director Ben Taylor highlights a selection of cybersecurity, physical security, health or natural threat related stories relevant to the cannabis industry.

Cybersecurity

Uber Responds to Breach After Threat Actor Claims Widespread Access- Social Engineering Again Defeats MFA

Uber suffered a cyberattack Thursday afternoon with a hacker gaining access to vulnerability reports and sharing screenshots of the company’s internal systems, email dashboard, and Slack server. The screenshots shared by the hacker and seen by BleepingComputer show what appears to be full access to many critical Uber IT systems, including the company’s security software and Windows domain. Other systems the hacker accessed include the company’s Amazon Web Services console, VMware ESXi virtual machines, Google Workspace email admin dashboard, and Slack server, to which the hacker posted messages.

According to Kevin Beaumont, a renowned cybersecurity expert, the attack went as follows:

• The threat actor spammed an Uber employee with push authentication app for several hours before contacting them on WhatsApp and claiming to be from Uber IT
• The attacker then indicated the victim needed to accepted the push notification to get them to stop.
• The employee accepted the “guidance” and the threat actor enrolled another device (that the attacker controlled) into the Multifactor Authentication (MFA) enrollment portal.

These reports often advocate for the use of MFA, and organizations should strongly consider applying MFA “to all the things!” However MFA can be bypassed and still requires threat awareness and vigilance. MFA, or lack thereof, and social engineering continue to be a significant factors in some notable, and seemingly increasing amounts of, cybersecurity incidents. MFA fatigue, also known as MFA prompt bombing, is the process of sending a high volume of push requests in short succession to a target’s mobile device until the user accepts the authentication request, either by accident or to quell the repeated push notifications. The important bit about MFA fatigue, perhaps more important than the potential victim accepting an unauthorized push request, is that the threat actor already has the target user’s valid credentials which are required to prompt for the push in the first place. Earlier this month, Cisco was compromised by the Yanluowang ransomware gang who, according to Cisco’s Talos Intelligence, obtained the user’s credentials and attempted to bypass MFA using a variety of techniques, including voice phishing (a.k.a., “vishing”) and MFA fatigue.

Lapsus$, the extortion gang recently identified as the group that breached Microsoft, Okta, and Nvidia claimed to have also worn down victims with repeated MFA push notifications, including a Microsoft employee. According to a message captured from Lapsus$ Telegram channel, “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.” In addition to mass MFA bombing, sending only one or two MFA prompts per day to attract less attention can also be effective.

For the cannabis industry to reduce the risk and protect organizations and users from succumbing to MFA bypass, consider the following in your MFA implementation:

• Train it. Include MFA bypass themes, like the ones highlighted in this report, in simulated phishing exercises and awareness education and discussions.
• Configure it. Ensure MFA settings are properly configured to protect against things like “fail open,” re-enrollment, or initial device enrollment scenarios.
• Randomize it. Make sure user session identifiers are unique and randomly generated.
• Fake it. Encourage users to never use real answers in response to recovery questions (and to use a password manager).
• Expire it. Configure timeouts before requiring MFA to a minimum acceptable timeframe (preferably at each login) so a threat actor cannot maintain persistence with a stolen session token.
• Force it. If a user reports repeated unauthorized MFA push notifications, immediately force a password reset.
• Disable it. Disable inactive accounts uniformly in active directory, MFA, etc. so they cannot be leveraged to reenroll in MFA.
• Monitor it. Monitor network logs continuously for suspicious activity.
• Alert it. Implement appropriate security policies to alert on things like impossible logins.
• Harden it. Implement a FIDO2-compliant security key (e.g., YubiKey) for multi-factor authentication.

Small Businesses Increasingly Target of Cyberattacks: Report

Ransomware demands and claims for all cyber incidents fell in the first half of this year, but small businesses have increasingly become targets, managing general agent Coalition Inc. said Wednesday in an update to its 2022 Cyber Claims Report. In an analysis of claims data from its 160,000 policyholders, San Francisco-based Coalition said ransomware demands fell to $896,000 in the first half from $1.37 million during the first six months of 2021. Of those that resulted in payments, the amount was negotiated to about 20% of the demand.

In a statistic that we have previously shared, Cybercrime Magazine indicates that 60% of small companies go out of business within six months of falling victim to a data breach or cyber attack. “Across industries, we continue to see high-profile attacks targeting organizations with weak or exposed infrastructure, which has become exacerbated by today’s remote working culture and companies’ dependence on third-party vendors,” said Catherine Lyle, Coalition’s head of claims, in a statement.

For cannabis businesses who are just getting started with cybersecurity (and we can’t encourage you enough to do so right away) we are linking to a past blog which highlights the Cybersecurity & Infrastructure Security Agency’s (CISA) Cyber Essentials Starter Kit.

Physical Security

More Cannabis Dispensaries Targeted in Robberies in St. Louis Area, & L.A.

Two more cannabis dispensaries were damaged in St. Louis County overnight Wednesday into Thursday. A string of burglaries have been reported over the last several weeks at several dispensaries across the St. Louis area. In the last week of August, at least four burglaries were reported at dispensaries in Hazelwood, St. Louis and Festus. In many of the cases, police said suspects used stolen Hyundais and Kias to smash into the front of the stores and get inside. 

These incidents are not just happening in St. Louis. In downtown Los Angeles, thieves attempted to pull the front gate of a dispensary off with their car. Greenway Magazine recently published an article focused on ways to harden cannabis facilities, and as we have previously shared, CISA provides a Vehicle Ramming Self-Assessment Tool which could be useful. 

Sacramento Police Arrest Suspect Accused of Ordering Cannabis, Robbing Delivery Drivers

Detectives arrested a man suspected of ordering home delivery of cannabis and robbing three delivery drivers, including one person who was held up at gunpoint. Jaron Aaron Silva, 22, was arrested Sept. 8 on suspicion of robbery, grand theft and being a convicted felon in illegal possession of a gun, the Sacramento Police Department announced Tuesday afternoon in a news release. Police said Silva, during his arrest last week, was found in possession of a privately manufactured gun, also known as a ghost gun. Detectives believe Silva used the ghost gun in one of the cannabis robberies.

Earlier this year, a DoorDash delivery driver was shot and killed inside his vehicle after dropping off an order in central Modesto. The fatal shooting is the first reported murder of a third-party delivery app worker while on the job in the city. In response, tech companies that employ delivery gig workers have updated some of their policies and procedures. A DoorDash spokesperson said the company offers occupational accident insurance to its drivers (who they call Dashers) at no cost. Last year, it also launched an in-app safety toolkit for its gig workers.

Dispensary robberies have shown that cannabis is a targeted industry for criminals. While facilities can be fortified (albeit at a high cost), safety of deliver drivers is a more fluid situation. Whether organizations look to outsource delivery or build their own solution, it is vital that driver security be at the forefront of the solutions. In addition to utilizing technology to enhance safety, it is important to train drivers on proper situational awareness, as discussed in this MJBizDaily article.

Is Dispensary Work Dangerous?

The Bluntness details how a surge of robberies lately in cannabis dispensaries throughout the United States has developed a potentially dangerous work environment for budtenders. Workers have been pistol-whipped, shot, and killed by marauders on a seek-and-destroy mission to empty the cash register. 

“The number of these robberies is shocking,” David Postman, the chairman of the Washington Liquor and Cannabis Board, recently told NPR. And while hiring extra heavy guards sounds like a viable solution, that gets expensive. It can cost tens of thousands of dollars to hire round-the-clock, armed security teams to keep the riffraff out of a dispensary.

Some budtenders claim the dispensary environment doesn’t have to go to the extreme of robberies or gun violence to get scary. “Even if you never have a robber come in, there are still many times where you have to be ‘at the ready’ if any craziness happens,” Julia, a former budtender, told The Bluntness. Julia added that “I don’t think it’s that dangerous if you are prepared.”

Proper staff training is important for frontline staff, and there are plenty of free resources that can be obtained. CISA offers good resources on de-escalation, HSI offers techniques in this blog post, and organizations like Gate 15 provide free Hostile Event Preparedness Series (HEPS) webinar series.

Check out the latest blog highlighting issues important to cannabis security!

Tweet