Cybersecurity Today: WestJet Cyber Incident, Anubis Ransomware Evolution, Discord Exploits, and Google Cloud Outage

Mon Jun 16 2025

Host David Shipley discusses several critical cybersecurity incidents and developments. WestJet, Canada's second-largest airline, faced a cybersecurity breach impacting its mobile app and internal systems. The airline is working with law enforcement...

Summary

Detailed Summary of "Cybersecurity Today" Podcast Episode

Podcast Information:

Title: Cybersecurity Today
Host/Author: Jim Love (episode hosted by David Shipley)
Description: Updates on the latest cybersecurity threats to businesses, data breach disclosures, and strategies to secure your firm in an increasingly risky environment.
Episode: Cybersecurity Today: WestJet Cyber Incident, Anubis Ransomware Evolution, Discord Exploits, and Google Cloud Outage
Release Date: June 16, 2025

Introduction

In this episode of Cybersecurity Today, host David Shipley delves into several pressing cybersecurity issues impacting businesses and digital platforms. He covers the recent cyber incident at WestJet, the evolving threats posed by Anubis ransomware, malicious exploits on Discord, and a significant outage in Google Cloud services. The discussion emphasizes the increasing sophistication of cyber threats and the critical importance of robust security measures for organizations.

1. WestJet Cybersecurity Incident

Overview: David Shipley begins by reporting a cybersecurity incident involving WestJet, Canada's second-largest airline. The incident, confirmed on a Friday night, disrupted access to WestJet's mobile application and internal systems.

Company Response: WestJet issued a public statement on social media, acknowledging the incident:
"We are aware of a cybersecurity incident involving internal Systems and the WestJet app, which has restricted access for several users."
(Timestamp: 00:45)

The airline activated its internal response team and is collaborating with law enforcement and Transport Canada to investigate the breach. An update on Saturday night confirmed that flight operations remained safe and unaffected.

Impact and Analysis: While technical details remain undisclosed, the incident underscores the vulnerability of aviation firms, which rely heavily on real-time digital systems and maintain strict regulatory oversight. Shipley emphasizes the importance of timely and transparent communication in preserving public trust during such incidents.

Notable Quote: "WestJet's disruption underscores the growing risk that cyber attacks pose to operational continuity."
(Timestamp: 05:30)

2. Evolution of Anubis Ransomware

Overview: Shipley shifts focus to the evolving landscape of ransomware threats, highlighting Anubis Ransomware as a Service (RaaS). First observed in December 2024, Anubis has expanded its operations in 2025 through an affiliate program offering substantial revenue sharing.

Technical Advancements: Research by Trend Micro reveals that Anubis has integrated a wiper module into its ransomware payload. This addition allows attackers to irreversibly delete file contents, reducing them to zero bytes while preserving directory structures. The wiper function can be activated via a command line parameter, adding a layer of pressure on victims by sabotaging recovery efforts even if a ransom is paid.

Implications: This development marks a significant shift in ransomware tactics from purely financial motives to incorporating data destruction as a punitive measure. Organizations are urged to enhance their disaster recovery plans and ensure that offline backups are both regular and secure.

Notable Quote: "Anubis's evolution highlights a growing trend towards irreversible punitive ransomware tactics."
(Timestamp: 12:15)

Additional Insights: Shipley details the technical mechanisms of Anubis, including its use of elliptic curve integrated encryption schema (ECIs) and process interference to thwart system safeguards. The ransomware targets high-value victims, primarily initiating infections through phishing emails containing malicious links or attachments.

3. Discord Malware Exploits

Overview: The podcast then examines a sophisticated malware campaign exploiting Discord's vanity invite system. Attackers utilize expired or deleted invite codes to redirect users to malicious servers, delivering payloads like the Async RAT (Remote Access Trojan) and the Skuld Information Stealer.

Technical Mechanism: Victims are lured to rogue servers where they are prompted to verify their accounts by executing a PowerShell command. This action initiates a multi-stage payload download:

A PowerShell script hosted on Pastebin downloads a first-stage loader.
The loader retrieves Async RAT and Skuld Stealer from BitBucket and GitHub.
Final payloads execute on the victim's system, providing attackers with remote access and stealing sensitive data, including cryptocurrency wallet seed phrases.

Attack Techniques: The campaign employs advanced evasion techniques, such as:

Social Engineering: Convincing users to manually execute clipboard-loaded PowerShell commands.
Sandbox Evasion: Implementing time-based execution delays and environment checks to bypass endpoint security tools.
Data Exfiltration: Using Discord webhooks to blend malicious activity into normal platform traffic.

Impact and Response: The exploitation has targeted regions including the United States, Vietnam, France, Germany, Austria, the Netherlands, and the United Kingdom. Discord responded by disabling a malicious bot involved in the campaign. A secondary campaign was also identified, disguising its loader as a cheat tool for pirated games.

Notable Quote: "This incident highlights how trust in platform features such as Discord invites can be turned against users when security design gaps are exploited."
(Timestamp: 21:40)

Recommendations: Shipley advises organizations and users to exercise caution when interacting with previously trusted links and to remain vigilant against exploiting features in widely used platforms.

4. Google Cloud Service Outage

Overview: In a deviation from cybersecurity incidents, Shipley discusses a significant service disruption experienced by Google Cloud on Thursday. The outage, lasting several hours, was caused by a misconfigured quota update in Google's API management infrastructure.

Technical Details: The outage commenced at approximately 10:49 AM Eastern Time and continued until 3:49 PM Eastern Time. An invalid automated quota update led API requests to return 503 errors, crippling both Google's own services and third-party platforms reliant on Google Cloud.

Impact: Services affected included Gmail, Google Calendar, Google Docs, Google Meet, Google Drive, and more. External applications like Spotify, Discord, Snapchat, Firebase, and select Cloudflare applications also suffered disruptions.

Recovery and Response: Google's incident summary attributed the failure to inadequate testing and insufficient error handling protocols. Recovery involved bypassing the malfunctioning quota check, though some regions experienced extended delays due to overloaded policy databases. Cloudflare confirmed that its Workers KV Key Value Store was impacted, leading to significant service interruptions despite no data loss.

Notable Quote: "This incident is a stark reminder of the fragility of interconnected digital services. Single misconfiguration at the cloud infrastructure layer can ripple across dozens of dependent platforms."
(Timestamp: 29:50)

Implications: Shipley emphasizes the importance of robust automation and oversight in cloud infrastructures. He advocates for the regulation of major cloud providers akin to other critical infrastructures like banks and telecommunications to prevent such widespread disruptions.

Conclusion and Recommendations

In wrapping up the episode, Shipley reinforces the critical need for organizations to maintain and regularly test their disaster recovery plans. This preparedness is essential to mitigate the impact of both ransomware attacks and significant service outages like those experienced by Google Cloud.

Closing Advice: "Whether it's to protect you from disruptive ransomware or major cloud provider outages, a good plan that's well tested is your best friend."
(Timestamp: 35:10)

He encourages listeners to stay updated, remain skeptical of suspicious activities, and continuously evaluate their security postures to safeguard against evolving cyber threats.

Final Remarks: David Shipley signs off, highlighting the value of listener engagement and previewing the return of Jim Love as the regular host in the following episode.

Stay Informed and Secure To keep up with the latest in cybersecurity, regularly tune into "Cybersecurity Today" and ensure your organization is equipped to handle the dynamic threat landscape.

Transcript

David Shipley (0:01)

Canada's second largest airline reported a cybersecurity incident Friday night. Anubis ransomware adds file wiping function to increase destruction and pressure discord, vanity link hijack leads to malware delivery campaigns targeting crypto wallets and Thursday's Google Cloud outage Root cause tied to API quota misconfiguration this is Cybersecurity Today and I'm your host David Shipley. Canadian airline WestJet is responding to a confirmed cybersecurity incident that disrupted access to its mobile app and internal systems. The Calgary based company issued a public statement on social media late Friday evening saying it was, quote, aware of a cybersecurity incident involving internal Systems and the WestJet app, which has restricted access for several users, end quote. The airline says it activated its internal response team and is cooperating with law enforcement and Transport Canada to investigate the incident. In its statement, WestJet emphasized that it is expediting efforts to maintain the safety of its operations and working to safeguard sensitive data and personal information for both guests and employees. An update Saturday night clarified that the airline's flight operations remained safe and unaffected by the incident. At the time of this recording, WestJet has not released technical details regarding the attack vector or potential threat actors. There is also no public evidence linking this event to ransomware or other known campaigns. Yet while the impact appears limited to its digital services, WestJet's disruption underscores the growing risk that cyber attacks pose to operational continuity. In the cybersecurity sector. Aviation firms are attractive targets due to their reliance on real time digital systems, their regulatory oversight and the criticality of public trust. WestJet's response shows the importance of timely, transparent incident communications in maintaining public trust. It will be interesting to see if they reveal more details on the attack and whether this turns out to be data theft, an extortion or a ransomware attack. While WestJet works to restore its affected systems, cybersecurity researchers are tracking an additional rapid evolution of ransomware threats that has potentially devastating consequences. One group they're tracking is the Anubis ransomware AS a service RaaS first observed in December 2024. The Anubis operation has gained momentum in 2025 with the launch of an affiliate program that offers significant revenue sharing, up to 80% for ransomware operators, 60% for data extortion partners, and 50% for initial access brokers. Now, researchers at Trend Micro have discovered that Anubis has integrated a wiper module into its ransomware payload. This component, which can be triggered via the wipemode command line parameter, irreversibly deletes file contents, reducing files to zero bytes while preserving directory and file name structures. According to Trend Micro, this design choice is intentional. It amplifies pressures on victims by sabotaging recovery efforts even if the ransom was paid, effectively weaponizing data loss as a psychological tool. The command requires key based authentication, suggesting attackers reserve it for high value targets or stalled negotiations. Technically, Anubis incorporates several layers of functionality. It uses elliptic curve integrated encryption schema ECIs, similar to that seen in Evilbyte and prints ransomware families. It has process interference. It kills processes and services that might interfere with its encryption efforts. System safeguards it excludes key system and program directories by default to avoid rendering devices completely inoperable before ransom payment and volume shadow copy removal ensures that rollback via Windows recovery features isn't an option. Encrypted files are marked with a Anubis extension, and ransom notes are dropped in impacted directories. Attempts to change desktop wallpapers have been observed but failed in recent samples. Anubis infections typically begin with phishing emails that include malicious links or attachments, an all too common initial access strategy. So far, only eight victims have been publicly listed on the group's DARP Web extortion page. But with these new capabilities, wider deployment may be intermittent. The combination of extortion and destruction represents a disturbing trend in ransomware operations. As attackers increasingly shift from pure financial motives to applying punitive pressure. Organizations should review their disaster recovery plans and ensure that offline backups are regularly tested and updated. A reminder Our reporting earlier this year says that 75% of enterprises still pay ransoms even though they have backups, because often those backups are destroyed. Anubis's evolution highlights a growing trend towards irreversible punitive ransomware tactics. This marks a disturbing change in the evolution of ransomware. Let me explain. Ransomware 1.0 was all about encrypting the files. Ransomware 2.0 was encrypting files or stealing data and and holding it hostage. Ransomware 3.0 holds this now sort of Dana Cleese of data wiping on top of the other two tactics. Discord is in the middle of another problem. A newly uncovered malware campaign is exploiting a quirk in Discord's vanity invite system to distribute the Async RAT Remote Access Trojan and a specialized version of the Skuld Information stealer. The tactic involves registering expired or deleted Discord invite codes and redirecting users, often those revisiting trusted forums or links to malicious servers. Once on the rogue server, victims are instructed to verify their accounts by copying a PowerShell command presented via a verify button. This command triggers a multi stage payload download that executes in the background, so the Steps are a PowerShell script hosted on Pastebin downloads a first stage loader. That loader retrieves the Async RAT and skuld stealer from BitBucket and GitHub, and the final payloads are executed on victim systems. Asyncrat provides the attackers with full remote access, while Skuld Stealer, written in Golang, targets sensitive data including browser credentials, Discord tokens, and especially cryptocurrency wallet seed phrases. Researchers noted the use of additional invasion techniques, including the use of Qlik fix social engineering that is convincing users to run clipboard loaded PowerShell commands manually, sandbox evasion time based execution delays and environment checks to get around those pesky MDR EDR Endpoint Security Tools Chrome CATS variant A modified open source tool used to bypass Chrome's encryption protections. Stolen data is exfiltrated via Discord webhooks, allowing attackers to blend malicious activity into normal platform traffic. Discord has since disabled a malicious bot enabled in this campaign. Checkpoint, which published the detailed report on this issue, also found a secondary campaign by the same threat actor. This version disguised its loader as a cheat tool for unlocking pirated games and has been downloaded over 350 times at the time of disclosure. Target regions for these campaigns include the United States, Vietnam, France, Germany, Austria, the Netherlands and the United Kingdom. This incident highlights how trust in platform features such as Discord invites can be turned against users when security design gaps are exploited. Organizations and end users alike need to be cautious about revisiting previously trusted links, particularly when they're used to access high value digital assets. Discord's exploitation demonstrates that attackers don't need zero days when they can rely on forgotten features and user trust. It's also a great thing for us to consider whether the evolution of the use of Discord from a video game platform into a common platform now used by software developers and others in some of the largest enterprises around the world was a good choice. Now. Not a cybersecurity incident, but still one that had massive implications. On Thursday, Google Cloud experienced a multi hour global service disruption caused by a misconfigured quota update in its API management infrastructure. The outage began at approximately 10:49am Eastern Time and lasted until 3:49 Eastern Time, affecting Google's own services as well as third party platforms that rely on its cloud infrastructure. Impacted services included Gmail, Google Calendar, Google Docs, Google Meet, Google Drive, Google Chat, Google Cloud Search and others. The outage also cascaded to major external services like Spotify, Discord, Snapchat, Firebase, and Select Cloudflare applications. In its incident summary, Google explained that an invalid automated quota update propagated globally and caused API requests to return 503 errors. Whoops. The system's failure to flag and isolate the error in time was attributed to inadequate testing and lack of effective error handling protocols. This brings back memories of CrowdStrike. Thank God it was resolved quickly. Recovery involved bypassing the offending quota check. While most regions recover within two hours, the U.S. central 1 region experienced extended delays due to overloaded policy databases. Residual issues persisted for an hour after initial mitigation in some services. Cloudflare confirmed the outage impacted its workers KV Key Value Store, which underpins critical functions including authentication and configuration delivery. Although no data was lost, the service interruption was significant. Cloudflare stated it would migrate the KV store to its own R2 object storage to reduce reliance on third party providers. This incident is a stark reminder of the fragility of interconnected digital services. Single misconfiguration at the cloud infrastructure layer can ripple across dozens of dependent platforms, disrupting both consumer and business operations worldwide. And Google's cloud outage reveals how fragile the backbone of the Internet can be when automation and oversight don't align. It also highlights why major cloud providers need to be regulated like we do for other critical infrastructure like banks, telecommunications and more. That's it for today. Stay patched, stay skeptical, and yesterday was a good time to check your disaster recovery plan. Whether it's to protect you from disruptive ransomware or major cloud provider outages, a good plan that's well tested is your best friend. We're always interested in your opinion, and you can contact us@editorechnewsday ca or or leave a comment under the YouTube video. I've been your host, David Shipley, sitting in for Jim Love, who will be back on Wednesday. Thanks for listening.