Host David Shipley discusses several critical cybersecurity incidents and developments. WestJet, Canada's second-largest airline, faced a cybersecurity breach impacting its mobile app and internal systems.
The airline is working with law enforcement to investigate while emphasizing the integrity of its flight operations. Additionally, the Anubis ransomware has evolved, now incorporating a file-wiping function to heighten victim pressure and destruction.
The episode also covers a novel malware campaign exploiting Discord's vanity invite system to deliver remote access trojans and info stealers, highlighting platform trust vulnerabilities.
Lastly, a significant multi-hour Google Cloud outage caused by an API quota misconfiguration affected numerous services globally, emphasizing the fragility of our interconnected digital infrastructure. The episode underscores the need for robust disaster recovery plans and cautious digital practices.
00:00 Introduction and Overview
00:30 WestJet Cybersecurity Incident
02:15 Anubis Ransomware Evolution
05:35 Discord Vanity Link Hijack
08:35 Google Cloud Outage
10:50 Conclusion and Final Thoughts
Episode Transcript
canada's second largest airline reporteda cybersecurity incident Friday night.
Anubis ransomware adds filewiping function to increase
destruction and pressure discord.
Vanity Link hijack leads to malwaredelivery campaigns, targeting
crypto wallets, and Thursday'sGoogle Cloud outage root cause
tied to API quota misconfiguration.
(00:24):
This is cybersecurity today, andI'm your host, David Shipley.
Canadian airline WestJet is isresponding to a confirmed cybersecurity
incident that disrupted access toits mobile app and internal systems.
The Calgary based company issued a publicstatement on social media late Friday
evening saying it was, quote, aware of acybersecurity incident involving internal
(00:47):
systems and the WestJet app, which hasrestricted access for several users.
End quote.
The airline says that it activated itsinternal response team and is cooperating
with law enforcement and transportCanada to investigate the incident.
In its statement, WestJet emphasizedthat is expediting efforts to maintain
the safety of its operations and workingto safeguard sensitive data and personal
(01:10):
information for both guests and employees.
An update Saturday night clarified thatthe airlines flight operations remain
safe and unaffected by the incident at thetime of this recording, WestJet has not
released technical details regarding theattack vector or potential threat actors.
There is also no public evidencelinking this event to ransomware
(01:31):
or other known campaigns.
Yet, while the impact appears limitedto its digital services, WestJet's
disruption underscores the growing riskthat cyber attacks pose to operational
continuity In the cybersecurity sector,aviation firms are attractive targets
due to reliance on real-time digitalsystems, their regulatory oversight,
(01:52):
and the criticality of public trust.
WestJet's response shows the importance oftimely transparent incident communications
in maintaining public trust.
It will be interesting to see if theyreveal more details on the attack and
whether this turns out to be date of theftand extortion or a ransomware attack.
(02:12):
. WestJet works to restoreits affected systems.
Cybersecurity researchers aretracking an additional rapid evolution
of ransomware threats that haspotentially devastating consequences.
One group they're tracking is theAnubis ransomware as a service.
RAAS first observed in December, 2024.
The Anubis operation has gainedmomentum in 2025 with the launch
(02:35):
of an affiliate program that offerssignificant revenue sharing up to
80% for ransomware operators, 60%for data extortion partners, and
50% for initial access brokers.
Now researchers at Trend Micro havediscovered that Anubis has integrated a
wiper module into its ransomware payload.
This component, which can be triggeredvia the slash wipe mode, command line
(02:58):
parameter irreversibly deletes filecontents, reducing files to zero bytes
while preserving directory and file namestructures according to Trend Micro.
This design choice is intentional.
It amplifies pressures on victimsby sabotaging recovery efforts, even
if the ransom was paid effectively.
(03:18):
Weaponizing data lossas a psychological tool.
The command requires key basedauthentication, suggesting
attackers reserve it for high valuetargets or stalled negotiations.
Technically, Anubis incorporatesseveral layers of functionality.
It uses Elliptic Curve, integratedencryption Schema, ECIS, similar
(03:39):
to that scene in Evil Byte andPrints, ransomware families.
It has process interference.
It kills processes and services that mightinterfere with its encryption efforts.
System safeguards, it inclu.
It excludes key system andprogram directories by default.
To avoid rendering devices completelyinoperable before ransom payment
and volume, shadow copy removalensures that rollback via Windows
(04:03):
recovery features isn't an option.
Encrypted files are marked with adot Anubis extension and ransom.
Notes are dropped in impacteddirectories Attempts to change
desktop wallpapers have been observed,but failed in recent samples.
Anubis infections typically beginwith phishing emails that include
malicious links or attachments, andall two common initial access strategy.
(04:26):
So far, only eight victims havebeen publicly listed on the
group's dark web extortion page,but with these new capabilities,
wider deployment may be imminent.
The combination of extortion anddestruction represents a disturbing
trend in ransomware operations.
As attackers increasingly shift frompure financial motives to applying
punitive pressure, organizationsshould review their disaster recovery
(04:49):
plans and ensure that offline backupsare regularly tested and updated.
Our reminder, our reporting earlier thisyear says that 75% of enterprises still
pay ransoms even though they have backups,because often those backups are destroyed.
Anubis evolution highlights agrowing trend towards irreversible,
(05:10):
punitive ransomware tactics.
This marks a disturbing changein the evolution of ransomware.
Let me explain.
Ransomware 1.0 was allabout encrypting the files.
Ransomware 2.0 was encrypting files orstealing data and holding it hostage.
Ransomware 3.0 holds this nowsword of Damocles of data wiping
(05:32):
on top of the other two tactics.
Discord is in the middleof another problem.
A newly uncovered malware campaign isexploiting a quirk in Discords vanity
invite system to distribute the async ratremote access Trojan, and a specialized
version of the scald information.
Stealer.
The tactic involves registering,expired or deleted discord, invite
(05:55):
codes, and redirecting users.
Often those revisitingtrusted forums or links.
Two malicious servers.
Once on the rogue server, victims areinstructed to verify their accounts
by copying a parish PowerShellcommand presented via a verify button.
This command triggers amulti-stage payload download
that executes in the background.
(06:16):
So the steps are a PowerShell scripthosted on Payin downloads a first
stage loader that loader retrievesthe async rat and skull Steeler from
Bitbucket and GitHub, and the finalpayloads are executed on victim systems.
Async Rat provides the attackers withfull remote access while skull Steeler
written in Golan target sensitivedata including browser credentials,
(06:38):
discord tokens, and especiallycryptocurrency wallet seed phrases.
Researchers noted the use of additionalevasion techniques, including the use
of Click fix social engineering that isconvincing users to run clipboard loaded,
PowerShell commands manually, sandboxevasion, time-based execution, delays and
environment checks to get around thosepesky M-D-R-E-D-R endpoint security tools.
(07:03):
Chrome Cat's variant.
A modified open source tool used tobypass Chrome's encryption protections.
Stolen data is exfiltrated viadiscord webhooks, allowing attackers
to blend malicious activityinto normal platform traffic.
Discord has since disabled amalicious bot enabled NIST campaign.
Checkpoint, which published thedetailed report on this issue,
(07:25):
also found a secondary campaignby the same threat actor.
This version disguised its loader asa cheat tool for unlocking pirate of
games and has been downloaded over350 times at the time of disclosure.
Target regions for these campaignsinclude the United States, Vietnam,
France, Germany, Austria, theNetherlands, and the United Kingdom.
(07:46):
This incident highlights how trustin platform features such as discord
invites can be turned against userswhen security design gaps are exploited.
I. Organizations and end users alike needto be cautious about revisiting previously
trusted links, particularly when they'reused to access high value digital assets.
Discords exploitation demonstratesthat attackers don't need zero
(08:09):
days when they can rely onforgotten features and user trust.
It's also a great thing for us toconsider whether the evolution of
the use of discord from a video gameplatform into a common platform now
used by software developers and othersin some of the largest enterprises
around the world was a good choice.
I.
(08:30):
Now, not a cybersecurity incident, butstill one that had massive implications.
On Thursday, Google Cloud experienceda multi-hour global service disruption
caused by a misconfigured quota updatein its API management infrastructure.
The outage began at approximately 10:49AM Eastern time, and lasted until 3 49
Eastern time, affecting Google's ownservices, as well as third party platforms
(08:54):
that rely on its cloud infrastructure.
Impacted services included Gmail, GoogleCalendar, Google Docs, Google Meet, Google
Drive, Google Chat, Google Cloud search.
Others.
The outage also cascaded to majorexternal services like Spotify,
discord, Snapchat, Firebase, andselect CloudFlare applications.
In its incident summary, Google explainedthat an invalid automated quota update
(09:18):
propagated globally and caused a p.I request to return 5 0 3 errors.
Whoops.
The system's failure to flag andisolate the error in time was attributed
to inadequate testing and lack ofeffective error handling protocols.
This brings back memories of CrowdStrike.
Thank God it was resolved quickly.
(09:38):
Recovery involved bypassing the offendingquota check while most regions recovered
within two hours, the US Central oneregion experienced extended delays
due to overloaded policy databases.
Residual issues persisted for anhour after initial mitigation.
In some services, CloudFlare confirmedthe outage impacted its workers' KV key
value store, which underpins criticalfunctions including authentication
(10:02):
and configuration delivery.
Although no data was lost, theservice interruption was significant.
CloudFare stated it would migrate the KVstore to its own R two object storage to
reduce reliance on third party providers.
This incident is a starkreminder of the fragility of
interconnected digital services.
A single misconfiguration at thecloud infrastructure layer can
(10:24):
ripple across dozens of independentplatforms disrupting both consumer
and business operations worldwide.
And Google's cloud outage revealshow fragile the backbone of the
internet can be when automationand oversight don't align.
It also highlights why major cloudproviders need to be regulated like we
do for other critical infrastructurelike banks, telecommunications, and more.
(10:50):
That's it for today.
Stay patched, stay skeptical.
And yesterday was a good time to checkyour disaster recovery plan, whether it's
to protect you from destructive ransomwareor major cloud provider outages.
A good plan that's welltested, is your best friend.
We're always interested in youropinion, and you can contact us at
editorial@technewsday.ca or leavea comment under the YouTube video.
(11:15):
I've been your host, DavidChipley, sitting in for Jim Love,
who will be back on Wednesday.
Thanks for listening.
I.
Popular Podcasts
Bookmarked by Reese's Book Club
Welcome to Bookmarked by Reese’s Book Club — the podcast where great stories, bold women, and irresistible conversations collide! Hosted by award-winning journalist Danielle Robay, each week new episodes balance thoughtful literary insight with the fervor of buzzy book trends, pop culture and more. Bookmarked brings together celebrities, tastemakers, influencers and authors from Reese's Book Club and beyond to share stories that transcend the page. Pull up a chair. You’re not just listening — you’re part of the conversation.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com