資安事件新聞週報 2022/11/14 ~ 2022/11/18

###### tags: `資安事件新聞週報` # 資安事件新聞週報 2022/11/14 ~ 2022/11/18 1.重大弱點漏洞/後門/Exploit/Zero Day High Severity Vulnerabilities Reported in F5 BIG-IP and BIG-IQ Devices https://thehackernews.com/2022/11/high-severity-vulnerabilities-reported.html F5修補BIG-IP、BIG-IQ的RCE漏洞 https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/ Cisco 近日發布身份服務引擎安全更新 https://www.cisa.gov/uscert/ncas/current-activity/2022/11/16/cisco-releases-security-updates-identity-services-engine 思科修補旗下防火牆產品33個漏洞 https://www.securityweek.com/cisco-patches-33-vulnerabilities-enterprise-firewall-products 微軟緊急修補Windows的Kerberos登入問題 https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-kerberos-auth-issues-in-emergency-updates/ Samba 產品存在多個安全性弱點 https://www.cisa.gov/uscert/ncas/current-activity/2022/11/16/samba-releases-security-updates 多家企業與IT廠商採用的開發人員入口網站平臺Backstage出現重大漏洞SandBreak，恐被用於逃逸沙箱發動RCE攻擊 https://www.oxeye.io/blog/remote-code-execution-in-spotifys-backstage Finding P1 Vulnerabilities: A Step by Step Guide https://medium.com/the-gray-area/finding-p1-vulnerabilities-a-step-by-step-guide-b88521195204 Critical RCE Flaw Reported in Spotify's Backstage Software Catalog and Developer Platform https://thehackernews.com/2022/11/critical-rce-flaw-reported-in-spotifys.html PCspooF: New Vulnerability Affects Networking Tech Used by Spacecraft and Aircraft https://thehackernews.com/2022/11/pcspoof-new-vulnerability-affects.html 客服系統Zendesk出現SQL注入及存取控管不當漏洞 https://www.varonis.com/blog/zendesk-sql-injection-and-access-flaws 網頁伺服器軟體OpenLiteSpeed修補重大漏洞 https://unit42.paloaltonetworks.com/openlitespeed-vulnerabilities/ GitHub提供向儲存庫所有者通報漏洞的管道 https://www.securityweek.com/github-introduces-private-vulnerability-reporting-public-repositories 美國針對Zimbra郵件系統管理者提出警告，駭客已運用多個重大漏洞發動攻擊 https://www.cisa.gov/uscert/ncas/alerts/aa22-228a 美國CISA發布漏洞分類指南，以決策樹協助企業安排修補順序 https://www.cisa.gov/blog/2022/11/10/transforming-vulnerability-management-landscape 2.銀行/金融/保險/證券/支付系統/金融監理新聞及資安 Warning: New Massive Malicious Campaigns Targeting Top Indian Banks' Customers https://thehackernews.com/2022/11/warning-this-widespread-malicious.html Python Script to Steal Credit Card And Browser-Saved Passwords https://medium.com/@abwahab5095/python-script-to-steal-credit-card-and-browser-saved-passwords-ac6c9e99ed5f 國泰網路資安ETF基金十月份經理人報告 https://www.moneydj.com/funddj/ya/yp052000.djhtm?a=6B3091F8-B0F5-4497-B19F-45F3C7A14415 趨勢科技：金融企業對自身承受勒索病毒的能力過於自信 https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10185 疑銀行濫用個資藍委都收過廣告訊息國民黨團要金管會專案查 https://n.yam.com/Article/20221118650240 FIDO 身份認證重點一把抓 https://reurl.cc/WqD7Gk 快刪2款APP！木馬入侵「銀行錢全盜走」 2千人受害 https://reurl.cc/de7Arg 詐騙集團獲「OTP密碼」綁定信用卡、帳戶「盜刷」 https://reurl.cc/EXGe4v 電支會員逼近2千萬人全支付崛起威脅雙雄 https://reurl.cc/MXRV4K 林楚茵揭電支綁定驗證漏洞黃天牧允諾速修補 https://reurl.cc/mZlArW 全支付年底挑戰300萬用戶，下一步要以服務增加用戶黏著度 https://www.ithome.com.tw/news/154105 奈及利亞前三季透過手機電子支付額達12.8兆奈拉 https://www.ttv.com.tw/finance/view/112022161134EAAEF6A034684E92BAC325706B9D30460ABC/587 3.電子支付/行動支付/pay/資安 Google to Pay $391 Million Privacy Fine for Secretly Tracking Users' Location https://thehackernews.com/2022/11/google-to-pays-391-million-privacy-fine.html 全支付二個月衝二百萬會員中華電信IDC做技術後盾 https://www.businessweekly.com.tw/business/indep/1002792 數位金融時代，善用「國泰世華CUBE App」學會更安全、更簡單的手機理財術 https://www.thenewslens.com/article/176540 台鐵12/1起一口氣增加9家行動支付最多人用的這四大通通有 https://reurl.cc/OEVnjR 數位行善成趨勢！行動支付捐款夯 https://reurl.cc/x1lA6b 行動支付捐贈成主流？！台灣公益團體自律聯盟公開4項呼籲與5大守則 https://onegeek1979.com/news/34664 公股銀強化行動支付成績亮眼 https://ctee.com.tw/news/finance/749537.html 零售轉戰電子支付的策略思維 https://fc.bnext.com.tw/articles/view/2552 泰國Google錢包插旗！邁向電子支付無現金社會央行拚2026現金流減半 https://reurl.cc/4XQnjj 電子支付綁卡明年須發簡訊通知 https://reurl.cc/QW4xe2 4.加密貨幣/數位貨幣/挖礦/區塊鍊/智能合約/WEB3 資安民企變國企！微信、支付寶恐變國有並整合數位人民幣 https://www.rti.org.tw/news/view/id/2150597 Bitcoin is Finished https://medium.com/crypto-24-7/bitcoin-is-finished-863e5370150 去中心化社群網站Mastodon出現HTML注入漏洞，恐導致用戶帳密遭竊 https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp 申請破產的加密貨幣交易所FTX疑遭駭客攻擊，導致逾5億美元資金損失 https://www.smh.com.au/business/companies/ftx-investigating-possible-hack-hours-after-bankruptcy-filing-20221113-p5bxs0.html FTX新任執行長透露：FTX竄改盜用資料，Alameda在FTX還不會被清算 https://abmedia.io/20221118-ftx-scam-revealed Gate.io：網傳資產清單只是部分資產，用戶也未在駭客攻擊下遭受損失 https://news.cnyes.com/news/id/5012239 Lookonchain：Gate.io曾被朝鮮駭客竊取2.3億美元但未披露，資產中61%為GT和SHIB https://news.cnyes.com/news/id/5012124 加密貨幣史上6大暴雷事件》FTX不是首例「也不會是最後一個」 https://www.blocktempo.com/ftxs-collapse-isnt-the-first-and-wont-be-the-last/ 派網「天蠶四變」中資虛擬貨幣平台侵台變形記 https://www.cmmedia.com.tw/home/articles/37131 破產風暴延燒！FTX創辦人疑「捲620億潛逃」　瘋傳已跑路杜拜 https://n.yam.com/Article/20221116472559 香港要從FTX之亂汲取教訓 https://www.hk01.com/article/837540?utm_source=01articlecopy&utm_medium=referral FTX帶衰幣圈危機連環爆這家也傳將破產 https://www.wealth.com.tw/articles/06cf6440-78f5-4f5c-b4c2-7aac6b1ead7c 巴哈馬政府是駭客藏鏡人？紐約郵報：巴哈馬政府指示 SBF 在破產後入侵 FTX https://zombit.info/sam-bankman-fried-was-ordered-by-bahamian-government-to-hack-ftx-after-bankruptcy/ 加密貨幣｜FTX創辦人SBF：宣布破產是最大錯誤 https://reurl.cc/ymkGM6 未挪用？SBF 後悔「申請破產」! 目標兩週內籌80億鎂、坦言推動監管只是公關手段 https://www.blocktempo.com/sbf-regrets-filing-for-bankruptcy/ EP120. 從金童到惡棍，全球第二大加密貨幣交易所FTX一夕破產，怎麼回事 https://www.bnext.com.tw/podcast/233/bn-sound-20221117085221-zm3r7a87 他好奇「加密貨幣是騙局？」內行網友曝1崩盤原因 https://udn.com/news/story/121591/6769508 此前發生Pull Rug的BNB Chain上FLARE代幣部署者將超3萬枚BNB轉入Tornado Cash https://news.cnyes.com/news/id/5013181 27家境內加密貨幣交易平台　去年營業稅額約12.8億 https://www.ftvnews.com.tw/news/detail/2022B17W0026 幣安將重啓收購破産加密貨幣借貸平台Voyager Digital(VYGVQ.US)的競標提案作者智通財經 https://reurl.cc/28WVW9 加密貨幣風險增強、監理趨勢不明朗下，各家業者因應對策 https://blockcast.it/2022/11/18/how-regtech-helps-the-development-of-crypto-market/ 5.資安事件新聞 A.病毒木馬 / 殭屍網路 / 勒索軟體 / Adware /APT /後門程式/IOC 竊密軟體Typhon Reborn加入防止研究人員分析的機制 https://unit42.paloaltonetworks.com/typhon-reborn-stealer/ 百貨業者統領於證交所發布公告，表示部分資訊系統遭到網路攻擊 https://tw.stock.yahoo.com/news/%E5%85%AC%E5%91%8A-%E7%B5%B1%E9%A0%98%E8%AA%AA%E6%98%8E%E9%83%A8%E4%BB%BD%E8%B3%87%E8%A8%8A%E7%B3%BB%E7%B5%B1%E9%81%AD%E5%8F%97%E9%A7%AD%E5%AE%A2%E7%B6%B2%E8%B7%AF%E6%94%BB%E6%93%8A-101440686.html 中國駭客利用安卓惡意軟體BadBazaar，鎖定維吾爾人而來 https://lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine 殭屍網路病毒KmsdBot挾持受害系統用於挖礦及發動DDoS攻擊 https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware 美國警告醫療照護機構遭到勒索軟體Venus鎖定 https://www.hhs.gov/sites/default/files/venus-ransomware-analyst-note.pdf 英國賽車場調查勒索軟體Royal攻擊事故 https://therecord.media/popular-uk-motor-racing-circuit-investigating-ransomware-attack/ 加拿大食品零售業者Sobeys傳出遭勒索軟體Black Basta攻擊 https://www.bleepingcomputer.com/news/security/canadian-food-retail-giant-sobeys-hit-by-black-basta-ransomware/ 惡意軟體StrelaStealer竊取收信軟體Outlook、Thunderbird帳密資料 https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc 烏克蘭組織遭到勒索軟體Somnia發動攻擊 https://cert.gov.ua/article/2724253 針對勒索軟體Prestige攻擊烏克蘭、波蘭的行動，疑俄羅斯駭客Iridium所為 https://www.bleepingcomputer.com/news/security/russian-military-hackers-linked-to-ransomware-attacks-in-ukraine/ 勒索軟體LockBit駭客在加拿大落網 https://www.bleepingcomputer.com/news/security/russian-lockbit-ransomware-operator-arrested-in-canada/ 勒索軟體ARCrypter攻擊範圍從拉丁美洲擴及全球 https://blogs.blackberry.com/en/2022/11/arcrypter-ransomware-expands-its-operations-from-latin-america-to-the-world 遊戲伺服器遭殭屍網路RapperBot鎖定，被用於DDoS攻擊 https://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks 惡意軟體QBot濫用Windows控制臺主程式感染受害電腦 https://www.bleepingcomputer.com/news/security/qbot-phishing-abuses-windows-control-panel-exe-to-infect-devices/ 已有1,300個組織遭勒索軟體Hive加密檔案 https://www.cisa.gov/uscert/ncas/alerts/aa22-321a 惡意軟體載入器BatLoader攻擊行動升溫，並透過寄生攻擊入侵受害電腦 https://www.darkreading.com/attacks-breaches/researchers-alarm-batloader-malware-dropper 微軟：93% 勒索軟體事件回應項目顯示特權存取和橫向移動控制不足 https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10183 Technical Analysis of the RedLine Stealer https://cloudsek.com/technical-analysis-of-the-redline-stealer/ Reconstructing the last activities of Royal Ransomware https://otx.alienvault.com/pulse/63776fdcb12db4ed708ee1d5 Digital Ocean (London (UK)) SSH Attacker Hosts for 2022-09-30 https://jamesbrine.com.au/dolondon-ssh-bruteforce-ip-list-2022-09-30/ https://jamesbrine.com.au 駭客組織Worok將後門程式埋藏於看似正常的PNG圖片，目的是為了散布竊密軟體DropBoxControl https://decoded.avast.io/martinchlumecky/png-steganography/ Malicious Word document disguised as a news questionnaire https://asec.ahnlab.com/ko/42163/ New RapperBot Campaign – We Know What You Bruting for this Time https://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks Bad font, bad backgrounds, and one persistent S.O.B https://otx.alienvault.com/pulse/63730981ca91941bc5a8cf92 Experts Uncover Two Long-Running Android Spyware Campaigns Targeting Uyghurs https://thehackernews.com/2022/11/experts-uncover-two-long-running.html Malicious Google Play Store App Spotted Distributing Xenomorph Banking Trojan https://thehackernews.com/2022/11/these-two-google-play-store-apps.html Russian-Canadian National Charged Over Involvement in LockBit Ransomware Attacks https://thehackernews.com/2022/11/russian-canadian-national-charged-over.html Microsoft Blames Russian Hackers for Prestige Ransomware Attacks on Ukraine and Poland https://thehackernews.com/2022/11/microsoft-blames-russian-hackers-for.html New KmsdBot Malware Hijacking Systems for Mining Crypto and Launch DDoS Attacks https://thehackernews.com/2022/11/new-kmsdbot-malware-hijacking-systems.html Worok Hackers Abuse Dropbox API to Exfiltrate Data via Backdoor Hidden in Images https://thehackernews.com/2022/11/worok-hackers-abuse-dropbox-api-to.html Warning: New RapperBot Campaign Aims to Launch DDoS Attacks at Game Servers https://thehackernews.com/2022/11/warning-new-rapperbot-campaign-aims-to.html AXLocker, Octocrypt, and Alice: Leading a new wave of Ransomware Campaigns https://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns B.行動安全 / iPhone / Android /穿戴裝置 /App / 5G / 即時通訊三星手機的３個高危險漏洞凸顯零組件安全議題 https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10177 Android手機解鎖畫面恐被繞過，Google予以修補 https://bugs.xdavidhu.me/google/2022/11/10/accidental-70k-google-pixel-lock-screen-bypass/ 世界盃足球賽App恐讓卡達政府監控球迷，法國、挪威呼籲民眾改用拋棄式手機 https://www.theregister.com/2022/11/11/world_cup_security/ 手機遭入侵發假信息倪可敏呼籲公眾小心警惕 https://reurl.cc/pZLAL4 7 iOS Projects to Become a Better iOS Developer https://medium.com/geekculture/7-ios-projects-to-become-a-better-ios-developer-e07818695c41 10 Useful iPhone Apps — Oct 2022 https://medium.com/macoclock/10-useful-iphone-apps-oct-2022-9c2cdff54a9d iOS 16.2 Could be Massive — Here’s Why https://medium.com/macoclock/ios-16-2-could-be-massive-heres-why-950eff870f89 Android, MVVM with Clean Code https://medium.com/@nicola.caferra/android-mvvm-with-clean-code-63995578253e Google宣布將針對部分Android 13裝置導入隱私沙箱測試版 https://www.ithome.com.tw/news/154210 Google to Roll Out Privacy Sandbox Beta on Android 13 by Early 2023 https://thehackernews.com/2022/11/google-to-roll-out-privacy-sandbox-beta.html 100 Apps, Endless Security Checks https://thehackernews.com/2022/11/100-apps-endless-security-checks.html Android版DuckDuckGo瀏覽器新增程式追蹤保護功能 https://www.ithome.com.tw/news/154285 C.事件 / 駭客 / DDOS / APT / 雲端/ 暗網/ 徵才 / 國際資安事件 / 資安人力 TWCERT 2022台灣資安通報應變年會　聚焦「資安韌性營運永續」 https://www.asmag.com.tw/showpost/12413.aspx 2022資安技能金盾獎競賽結果出爐，陽明交通大學抱走12萬元獎金 https://www.cna.com.tw/news/ahel/202211110349.aspx 培養校園資安人才的金盾獎，數位部成立後重視力道加深 https://www.ithome.com.tw/news/154188 數位轉型勢不可擋，資服業今年添多位新兵 https://technews.tw/2022/11/16/digital-transformation-wave-information-services-stocks/ Magento電子商務平臺遭到TrojanOrders攻擊行動鎖定 https://sansec.io/research/trojanorder-magento 駭客組織WASP鎖定Python開發者而來 https://medium.com/checkmarx-security/wasp-attack-on-python-polymorphic-malware-shipping-wasp-stealer-infecting-hundreds-of-victims-10e92439d192 美國國安局呼籲開發者運用更安全的程式語言 https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3215760/nsa-releases-guidance-on-how-to-protect-against-software-memory-safety-issues/ FBI局長：中國偷竊美國資料遠超過其他國家總和 https://udn.com/news/story/6813/6770961 海外購物代運業者美買國際網站故障，疑為前技術人員破壞所致 https://maybuys.com/ 法國政府斥資3千萬歐元打造 ”資安盾牌” https://www.trade.gov.tw/Pages/Detail.aspx?nodeID=45&pid=753023 俄烏戰爭：追蹤俄羅斯寡頭的超級遊艇——BBC直擊制裁與扣押行動 https://www.thenewslens.com/article/176431 歐盟網路安全局指出地緣政治衝突催化網路攻擊 https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10172 歐盟監管機構反對科技公司為通訊基礎設施買單 https://blog.twnic.tw/tag/berec/ 據報英國下令中資安世半導體出售當地最大芯片廠至少86%股權 http://www.aastocks.com/tc/stocks/news/aafn-news/NOW.1227100/2 避免國安風險英國阻擋中資全面收購英晶片廠 https://www.rti.org.tw/news/view/id/2150758 烏干達新法律限制使用網路 https://blog.twnic.tw/2022/11/17/24912/ 跨國網安演習美俄「中」首度同場 https://www.ydn.com.tw/news/newsInsidePage?chapterID=1546712 澳洲政府考慮立法，付給駭客贖金視為犯法 https://technews.tw/2022/11/18/australia-is-considering-a-ban-on-ransom-payments-to-hackers/ 美國聯邦調查局傳出遭到俄羅斯駭客Killnet的DDoS攻擊 https://www.foxnews.com/world/pro-russian-hackers-claim-cyber-attack-fbi-website 俄羅斯用戶分析元件業者冒充美國公司對外提供產品，美國軍方與疾病管制局皆為其用戶而可能曝險 https://www.reuters.com/technology/exclusive-russian-software-disguised-american-finds-its-way-into-us-army-cdc-2022-11-14/ New "Earth Longzhi" APT Targets Ukraine and Asian Countries with Custom Cobalt Strike Loaders https://thehackernews.com/2022/11/new-earth-longzhi-apt-targets-ukraine.html Over 15,000 WordPress Sites Compromised in Malicious SEO Campaign https://thehackernews.com/2022/11/over-15000-wordpress-sites-compromised.html Symantec稱Billbug攻擊亞洲地區的數字證書頒發機構；伊朗相關駭客利用Log4Shell漏洞入侵美國政府機構 https://vitomag.com/code/fpnnhs.html 遭中國駭客組織Billbug鎖定，亞洲多個國家的政府機關與憑證認證機構的資安風險增加 https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments-cert-authority Chinese Hackers Using 42,000 Imposter Domains in Massive Phishing Attack Campaign https://thehackernews.com/2022/11/chinese-hackers-using-42000-imposter.html FBI-Wanted Leader of the Notorious Zeus Botnet Gang Arrested in Geneva https://thehackernews.com/2022/11/fbi-wanted-leader-of-notorious-zeus.html 美國聯邦機構遭伊朗駭客入侵，管道是Log4Shell漏洞 https://www.cisa.gov/uscert/ncas/alerts/aa22-320a 伊朗駭客在美國聯邦網路上植入挖礦程式 https://times.hinet.net/news/24259773 Iranian Hackers Compromised a U.S. Federal Agency's Network Using Log4Shell Exploit https://thehackernews.com/2022/11/iranian-hackers-compromised-us-federal.html 歐洲、拉丁美洲組織遭北韓駭客Lazarus散布後門程式DTrack https://securelist.com/dtrack-targeting-europe-latin-america/107798/ North Korean Hackers Targeting Europe and Latin America with Updated DTrack Backdoor https://thehackernews.com/2022/11/north-korean-hackers-targeting-europe.html 【知名財團法人】【資安所】經濟部駐點專案助理 https://www.104.com.tw/job/7t92k 資訊安全專案副理_某知名公司 (3006971) https://headhunt.com.tw/pages/job-description.aspx?id=3006971 資通安全組-高級工程師(221) https://job.taiwanjobs.gov.tw/Internet/jobwanted/JobDetail.aspx?EMPLOYER_ID=628290&HIRE_ID=11589997 資安顧問-中芯 https://www.104.com.tw/job/7tinz D.資料外洩/個資法/GDPR/網路詐騙/網路釣魚/盜刷/假新聞/網路霸凌/帳號安全每分鐘921起！微軟：意圖竊取帳密的攻擊過去一年增加74% https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10180 大規模網釣活動濫用逾400個品牌，鎖定中國以外地區下手 https://www.cyjax.com/2022/11/14/fangxiao-a-chinese-threat-actor/ Researchers Discover Hundreds of Amazon RDS Instances Leaking Users' Personal Data https://thehackernews.com/2022/11/researchers-discover-hundreds-of-amazon.html Google無密碼時代來臨!在Android與Chrome加入符合FIDO標準Passkeys功能 https://www.webcomm.com.tw/blog/fido-passkeys/ 俄羅斯電動滑板車租賃業者Whoosh證實資料外洩，駭客公布720萬用戶資料 https://www.bleepingcomputer.com/news/security/whoosh-confirms-data-breach-after-hackers-sell-72m-user-records/ 歲末購物季來臨，美國、加拿大消費者遭到駭客鎖定，冒用當地知名品牌發動網釣攻擊 https://www.akamai.com/blog/security-research/sophisticated-phishing-scam-abusing-holiday-sentiment 美國醫療保險業者伺服器配置不當，曝露60萬囚犯個資 https://www.bankinfosecurity.com/misconfigured-server-exposed-phi-600000-inmates-a-20482? 美國FBI指控中國大規模竊取商業機密與個資，尤以TikTok最讓人感到威脅 https://www.bloomberg.com/news/articles/2022-11-15/fbi-is-extremely-concerned-about-future-tiktok-deal-christopher-wray-says TikTok新隱私政策，開放中國員工能任意查看歐洲等用戶數據！為何「出賣」用戶 https://www.bnext.com.tw/article/72443/tiktok-china-staff-can-access-user-data 調查局查獲中華○○公司收受大陸微視公司資金對臺進行認知作戰 https://www.mjib.gov.tw/news/Details/1/822 涉收陸企資金對台認知作戰調查局約談6人送辦 https://www.cna.com.tw/news/asoc/202211180172.aspx 受中資指示在FB散佈「日本撤僑」假訊息，調查局約談「中華微視」粉專負責人9萬交保 https://www.techbang.com/posts/101813-the-investigation-bureau-found-that-china-microvision-had 研究人員發現數百個AWS關聯式資料庫雲服務可能出現資料外洩的狀況 https://www.mitiga.io/blog/how-mitiga-found-pii-in-exposed-amazon-rds-snapshots 偷偷記錄用戶位置歷史資料，Google以近4億美元與美國40州和解 https://www.ithome.com.tw/news/154200 NVIDIA Taiwan 的官方推特被盜帳啦！駭客用藍勾勾帳號推廣狗狗幣 https://news.xfastest.com/nvidia/120556/nvidia-taiwan-dogecoin/ 美女主播揭最新詐騙手法「博感情討信任」遭鎖定群族曝光 https://www.chinatimes.com/realtimenews/20221117001192-260404?ctrack=pc_star_headl_p01&chdtv E.研究報告/工具資通安全工具 https://ctm.site.nthu.edu.tw/p/16-1072-45364.php Middlebox TCP反射放大DDoS攻擊趨勢與防護 https://www.twcert.org.tw/tw/cp-14-6710-e8a18-1.html 擺脫無人機紅色供應鏈就從現在開始 https://www.upmedia.mg/news_info.php?Type=2&SerialNo=159106 微軟：國家攻擊威脅鎖定關鍵基礎設施的比例增加一倍 https://technews.tw/2022/11/17/nation-state-threats/ 零信任網路安全架構雲高科技雲端資安全方位解決方案(上) https://www.digitimes.com.tw/tech/dt/n/shwnws.asp?cnlid=14&cat=60&id=0000650124_FIW0DQBN3PZUDW3QUU7QD 網路犯罪也「即服務化」，2023 年資安威脅 5 大趨勢一次看 https://fc.bnext.com.tw/articles/view/2562 調查建議瑞典政府應掌控電子身分證 https://www.trademag.org.tw/page/newsid1/?id=7871929&iz=2 VPN vs. DNS Security https://thehackernews.com/2022/11/vpn-vs-dns-security.html How to Create a Personal VPN for Yourself for Free https://medium.com/@aplaceofmind/how-to-create-a-personal-vpn-for-yourself-for-free-92282a06c8ef Multiple High-Severity Flaws Affect Widely Used OpenLiteSpeed Web Server Software https://thehackernews.com/2022/11/multiple-high-severity-flaw-affect.html What is an External Penetration Test https://thehackernews.com/2022/11/what-is-external-penetration-test.html Deep Packet Inspection vs. Metadata Analysis of Network Detection & Response (NDR) Solutions https://thehackernews.com/2022/11/deep-packet-inspection-vs-metadata.html Researchers Say China State-backed Hackers Breached a Digital Certificate Authority https://thehackernews.com/2022/11/researchers-say-china-state-backed.html Invitation Hijacking https://medium.com/@vflexo/invitation-hijacking-4d6467f418cc The 2023 ReactJS Developer Roadmap | Zero to Hero https://medium.com/@iqrajamil/the-2022-reactjs-developer-roadmap-zero-to-hero-39b6db534dc0 How we built the Tinder API Gateway https://medium.com/tinder/how-we-built-the-tinder-api-gateway-831c6ca5ceca Kafka producer deep-dive: partition assignment https://medium.com/@bb8s/kafka-producer-deep-dive-partition-assignment-846dcc366689 Top Websites To Practice Coding. https://gaurav464.medium.com/top-websites-to-practice-coding-125ba209eb5a The Architecture of a Modern Startup https://betterprogramming.pub/architecture-of-modern-startup-abaec235c2eb Researchers Reported Critical SQLi and Access Flaws in Zendesk Analytics Service https://thehackernews.com/2022/11/researchers-reported-critical-sqli-and.html How to Test Your Firewall Security & Rules | Rivial Security https://pccicblog.wordpress.com/2022/11/15/how-to-test-your-firewall-security-rules-rivial-security/ F.商業 New Updates for ESET's Advanced Home Solutions https://thehackernews.com/2022/11/eset-antivirus-advanced-protection.html ESET 公布 2022 全球中小企業資安防護調查報告 https://www.twcert.org.tw/tw/cp-104-6704-d1cb2-1.html VMware發佈VMware Carbon Black XDR提升橫向安全 https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10175 Hitachi Vantara攜手聯達資訊，強化資料儲存應用與安全管理 https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10173 7 Reasons to Choose an MDR Provider https://thehackernews.com/2022/11/7-reasons-to-choose-mdr-provider.html Fortinet發布2023年資安威脅預測，指出網路犯罪分工變得更加精細 https://www.fortinet.com/tw/demand/gated/wp-threat-prediction-2023 Mozilla基金會發布Firefox 107，修補19個漏洞 https://www.securityweek.com/firefox-107-patches-high-impact-vulnerabilities 合勤投控資安長游政卿分享6個轉化資安投資的策略 https://www.ithome.com.tw/news/154104 零信任網路安全架構雲高科技雲端資安全方位解決方案 https://www.digitimes.com.tw/tech/dt/n/shwnws.asp?cnlid=14&cat=60&id=0000650124_FIW0DQBN3PZUDW3QUU7QD 快更新！1版本Windows 明年1月全面淘汰 https://reurl.cc/EXGeRA G.政府公視重大資安事故頻傳，監察院糾正文化部及NCC https://www.cna.com.tw/news/aipl/202211110246.aspx 網傳有選舉作弊程式中選會駁斥：計票系統採封閉網路資安防護完善 https://reurl.cc/4XQv2L 台選務資安高規格中華電、資安署、中選會嚴陣以待 https://www.epochtimes.com/b5/22/11/17/n13867868.htm 111年第2次政府資通安全防護巡迴研討會 https://www.nccst.nat.gov.tw/HandoutDetail?lang=zh&seq=1295 數位部出缺資安人員還得身家調查 https://reurl.cc/aa1AvD 搶資安人才人總協調數位部增獎金加給 https://wantrich.chinatimes.com/news/20221116900940-420501 中共黑警監控臺僑僑委會召開資安會議 https://reurl.cc/06EROY 教育部創新創業計畫台科大3組團隊獲績優 https://www.cna.com.tw/news/ahel/202211160201.aspx 新南向出口實戰論壇運用數位科技掌握市場新商機 https://www.trade.gov.tw/Pages/detail.aspx?nodeID=40&pid=752911 H.工控系統/ICS/SCADA/IOT/物聯網/車聯網/電動車/人工智慧/AI/ML/人臉辨識/醫療相關資安三個心法檢視網路安全，部署 OT 資安少走冤枉路 https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10171 趨勢科技子公司VicOne推出車載軟體安全遠端診斷服務 https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10170 門禁系統Aiphone出現漏洞，能用NFC開門而無需通過驗證程序，本月發布資安公告 https://promon.co/security-news/aiphone-vulnerability/ 電動車專用導航、Project X新車計畫　MIH Demo Day秀未來車技術 https://www.eettaiwan.com/20221118nt11-mih-demo-day-highlight/ PCspooF漏洞恐影響飛機與太空梭的動力系統運作 https://news.umich.edu/cyber-vulnerability-in-networks-used-by-spacecraft-aircraft-and-energy-generation-systems/ I.教育訓練 iPAS資訊安全工程師中級筆記 https://hackmd.io/@Not/iPASInformationSecuritySpecialist iPas資安工程師證照考前研習 https://reurl.cc/GEbA3p Coursera 盤點 7 項雲端資安認證，高薪跳板都在這了！ https://buzzorange.com/techorange/2022/07/12/cloud-security-certificates/ 全球網絡安全勞動力失衡 (ISC)2免費課程及考試填補人才缺口 https://reurl.cc/m39MDj CISSP考試心得 https://reurl.cc/KbY83j CISSP考試心得 – Benson https://reurl.cc/GbWvxd 目標導向-20天光速考過CISSP https://reurl.cc/2Zq6zn CISSP證照考試實戰心得第一章：初期準備工作 https://netmag.tw/2022/06/17/the-cissp-has-learned-the-first-chapter-in-actual-combat CPSA(CREST Practitioner Security Analyst) 資安分析師考試心得 https://tech-blog.cymetrics.io/posts/huli/crest-cpsa-prepare/ EC-Council CEH v11 考試心得、改版資訊以及準備方向 2021、2022 https://reurl.cc/1oyEM8 CEH v11 考試心得與準備方式 https://blog.sean.taipei/2022/01/ceh 深度解析 CPENT 考試心得、以及與 OSCP 的比較 https://reurl.cc/41eL8v EC-Council CPENT v1 滲透測試認證 – 內容及心得分享 https://hackercat.org/pentesting/ec-council-cpent-v1-experience-review [備考心得]CompTIA Security+ (SY0–601) 上篇 https://reurl.cc/M053DK [備考心得]CompTIA Security+ (SY0–601) 下篇 https://reurl.cc/M053Gv 不只是工程師才要懂的 App 資訊安全：取得資安檢測合格證書血淚史（iT邦幫忙鐵人賽系列書） https://news.pchome.com.tw/living/books/20220202/index-64375841669874292009.html Learn NIST Inside Out With 21 Hours of Training @ 86% OFF https://thehackernews.com/2022/06/learn-nist-inside-out-with-21-hours-of.html 駭客與國家: 網路攻擊與地緣政治新常態 The hacker and the state: cyber attacks and the new normal of geopolitic https://reurl.cc/D3nKKj Practical Network Penetration Tester (PNPT) Certification Review https://tmc222.medium.com/practical-network-penetration-tester-pnpt-certification-review-4280e4e164df WUSON常用的基本詞彙 https://choson.lifenet.com.tw/?p=1958 我國網路資安狂被駭監委申請自動調查 https://www.chinatimes.com/realtimenews/20220810003152-260407?chdtv 6.近期資安活動及研討會行動應用APP 安全檢測（APK/IPA）2022-11-18 09:00 ~ 2022-11-18 12:00 https://www.cisanet.org.tw/Course/Detail/2865 【資安講堂】雲端攻防戰！企業資安人才計劃全面啟動 2022/11/18 https://www.accupass.com/event/2210180843504199134720 5G智慧無人機應用實作工作坊＠台南沙崙資安基地 ‍2022/11/19 https://ev.ncku.edu.tw/p/404-1184-246816.php?Lang=zh-tw Taipei dbt Meetup #7 (in-person 👫 & online 👨‍💻)2022/11/19 https://www.meetup.com/taipei-dbt-meetup/events/288207892/ 企業資安實務研討會 2022/11/22 https://www.twcert.org.tw/tw/cp-105-6702-d4a1d-1.html 2023智慧安控解決方案趨勢與商機論壇 2022/11/28 https://www.tca.org.tw/exhibit_info1.php?n=1837 物聯網安全高峰論壇 2022/12/6 https://www.mem.com.tw/event/web%20test/index.html ICS 2022 WORKSHOP PROGRAM -「Ubiquitous Cybersecurity and Forensics」 2022/12/15 ~ 2022/12/17 https://ics2022.esam.io/ 一日駭客x網路弱點滲透 2022/12/17 https://www.accupass.com/event/2210270652481821159224 TANET 2022 WORKSHOP PROGRAM -「第二屆數位鑑識、醫療私密與網駭安全」 2022/12/15 ~ 2022/12/17 https://tanet2022.esam.io/