###### tags: `資安事件新聞週報` # 資安事件新聞週報 2022/9/26 ~ 2022/9/30 1.重大弱點漏洞/後門/Exploit/Zero Day DNS軟體BIND存在漏洞，恐被用於DoS攻擊 https://www.securityweek.com/bind-updates-patch-high-severity-vulnerabilities Sophos修補已遭利用的防火牆RCE漏洞 https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce 尚未修補的端點裝置管理系統漏洞遭到公開，微軟緊急提供更新程式 https://www.securityweek.com/microsoft-issues-out-band-patch-flaw-allowing-lateral-movement-ransomware-attacks 5年前的Office漏洞仍被用於攻擊行動！駭客假借政府機關名義散布Cobalt Strike https://blog.talosintelligence.com/2022/09/new-campaign-uses-government-union.html 新的微軟Exchange零時差漏洞出現，已有駭客鎖定該漏洞活動 https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html Hackers Exploited Zero-Day RCE Vulnerability in Sophos Firewall — Patch Released https://thehackernews.com/2022/09/hackers-actively-exploiting-new-sophos.html CISA Warns of Hackers Exploiting Recent Zoho ManageEngine Vulnerability https://thehackernews.com/2022/09/cisa-warns-of-hackers-exploiting-recent.html 中華資安國際發現CVE弱點，國際知名開源專案具有一項漏洞 https://www.chtsecurity.com/news/f7e14bc6-ddf1-4cb0-8cae-f652c60d2ae4 Atlassian Confluence重大漏洞再度遭到利用！駭客將其搭配PwnKit發動挖礦攻擊 https://www.trendmicro.com/en_us/research/22/i/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.html Chrome「5高風險漏洞」恐遭駭客入侵！Google更新補救 https://times.hinet.net/news/24167298 Google發布Chrome 106版，修補5項高風險漏洞 https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop_27.html Drupal釋出新版，修補存在於Twig模板引擎可能導致敏感資訊洩漏的嚴重漏洞 https://www.drupal.org/sa-core-2022-016 2.銀行/金融/保險/證券/支付系統/金融監理 新聞及資安 開發金控營運長辭任 凱基銀資安長由周旺暾接任 https://ctee.com.tw/livenews/aj/ctee/a93610002022092620415374 大數據×資安×數位金融×永續 東吳大學用科技力加值未來人才 https://www.cheers.com.tw/amp/article/5101220 TPI DAY 解密金融創新轉型戰略「3 大決勝點」 https://buzzorange.com/techorange/2022/09/27/tpi-day-2022/ 害怕資安風險！國泰世華銀行用秘密武器保護你　在App上理財、投資快速又安全 https://www.businesstoday.com.tw/article/category/183012/post/202209150020/ 不到500也要刷！小額信用卡刷卡筆數續成長 https://www.wealth.com.tw/articles/e4e1833c-fa6c-44f2-9286-b823e3ca572d 111年營業用車輛下期使用牌照稅將於10月1日開徵 繳納期限至10月31日 https://www.etax.nat.gov.tw/etwmain/announcement/news/ZJ7gwa 集保結算所廣招新人　共創資本市場新未來 https://www.winnews.com.tw/91143/ 3.電子支付/行動支付/pay/資安 持續優化電票與電支資料整合，一卡通靠掌握會員樣貌深化體驗 https://www.ithome.com.tw/people/153209 全台第一個！電支直接扣款買基金　全聯全支付的真正野心 https://www.cw.com.tw/article/5122926?template=transformers HAPPY GO Pay行動支付 捐贈發票e起來 https://reurl.cc/YXaOOa 部分 Android 使用者因為不明原因，無法使用 Google Wallet https://m.eprice.com.tw/smartos/talk/124/5752258/1 統整雜亂行動支付QR Code！寧夏夜市試行「全能碼」方便消費者、造福攤家 https://reurl.cc/gMAWWL 一卡通MONEY生活繳費服務 新上線國民年金及生活繳費項目 https://reurl.cc/yM8Ee2 4.加密貨幣/數位貨幣/挖礦/區塊鍊/智能合約/WEB3 資安 Web3吹冷風 幣安何一樂觀看 https://ctee.com.tw/news/tech/723299.html 結果出爐｜夏日慶之冷錢包巡禮：Web3 資安徵文比賽 https://reurl.cc/3YnN9M 「可逆交易標準」 ERC-20R、ERC-721R 的審思：託管才是更優解 https://www.blocktempo.com/reverse-trading-token-standard-erc20r-and-erc721r-rethink-of-correction/ Crypto.com成為駭客組織Lazarus的最新騙局目標 https://news.cnyes.com/news/id/4967537 5.資安事件新聞 A.病毒木馬 / 殭屍網路 / 勒索軟體 / Adware /APT /後門程式/IOC 勒索軟體使用間歇性加密以躲避偵測 https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10091 駭客組織StrongPity濫用開源記事本程式Notepad++的外掛元件來規避偵測 https://www.cybereason.com/blog/threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence 多家加密貨幣交易所採用的 npm 軟體套件遭植入惡意程式碼 https://www.twcert.org.tw/tw/cp-104-6563-0f23c-1.html DeFi業者開發的NPM套件被植入竊密軟體 https://www.mend.io/resources/blog/popular-cryptocurrency-exchange-dydx-has-had-its-npm-account-hacked/ 中國駭客TA413利用後門程式Lowzero攻擊圖博人士 https://www.recordedfuture.com/chinese-state-sponsored-group-ta413-adopts-new-capabilities-in-pursuit-of-tibetan-targets 暗網出現能散布木馬程式Agent Tesla的作案工具，能繞過Windows的UAC措施 https://www.zscaler.com/blogs/security-research/agent-tesla-rat-delivered-quantum-builder-new-ttps 駭客購買搜尋引擎廣告散布惡意軟體下載器NullMixer，在受害電腦植入十餘種作案工具 https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/ 開啟網址連結下載Zoom視訊會議軟體要小心！駭客下手透過冒牌網站散布竊密程式 https://blog.cyble.com/2022/09/19/new-malware-campaign-targets-zoom-users/ 伊朗駭客以銀行點數獎勵為幌子，針對印度安卓手機用戶散布惡意軟體 https://www.microsoft.com/security/blog/2022/09/21/rewards-plus-fake-mobile-banking-rewards-apps-lure-users-to-install-info-stealing-rat-on-android-devices/ 路透：印尼高層官員去年傳遭間諜軟體鎖定 https://www.rti.org.tw/news/view/id/2146013 竊密軟體Erbium假借遊戲破解或作弊工具散布 https://www.cyfirma.com/outofband/erbium-stealer-malware-report/ 微軟SQL Server被勒索軟體Fargo盯上！駭客疑似針對弱密碼與尚未修補的漏洞發動攻擊 https://asec.ahnlab.com/en/39152/ 外流的勒索軟體LockBit 3.0產生器已被用於攻擊行動 https://www.bleepingcomputer.com/news/security/leaked-lockbit-30-builder-used-by-bl00dy-ransomware-gang-in-attacks/ 能繞過EDR與防毒的滲透測試工具BRC4遭到破解，並在駭客論壇散布 https://blog.bushidotoken.net/2022/09/brute-ratel-cracked-and-shared-across.html 中國駭客APT41透過CHM檔案散布竊密軟體IcedID https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload 惡意軟體Chaos感染Windows、Linux裝置，並將其用於DDoS攻擊 https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ 北韓駭客Lazarus舊技重施，專門鎖定Mac電腦用戶下手，以提供加密貨幣交易所Crypto職缺的名義散布惡意軟體 https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/ Lazarus ‘Operation In(ter)ception’ Targets macOS Users Dreaming of Jobs in Crypto https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/ Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage NullMixer drops Redline Stealer, SmokeLoader and other malware https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/ Erbium Stealer, a new Infostealer enters the scene https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer 小心駭客透過PowerPoint投影片模式傳送惡意軟體的攻擊手法，即使沒有點擊也有可能中招 https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/ PowerPoint mouse-over event abused to deliver Graphite implants https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/ Hackers Using PowerPoint Mouseover Trick to Infect System with Malware https://thehackernews.com/2022/09/hackers-using-powerpoint-mouseover.html BumbleBee: Round Two https://thedfirreport.com/2022/09/26/bumblebee-round-two/ The Mystery of Metador | An Unattributed Threat Hiding in https://assets.sentinelone.com/sentinellabs22/metador Chinese Espionage Hackers Target Tibetans Using New LOWZERO Backdoor https://thehackernews.com/2022/09/chinese-espionage-hackers-target.html 勒索軟體駭客BlackCat、BlackMatter透過資料破壞工具Exmatter破壞受害電腦 https://www.cyderes.com/blog/threat-advisory-exmatter-data-extortion/ BlackCat Ransomware Attackers Spotted Fine-Tuning Their Malware Arsenal https://thehackernews.com/2022/09/blackcat-ransomware-attackers-spotted.html New NullMixer Malware Campaign Stealing Users' Payment Data and Credentials https://thehackernews.com/2022/09/new-nullmixer-malware-campaign-stealing.html Researchers Warn of New Go-based Malware Targeting Windows and Linux Systems https://thehackernews.com/2022/09/researchers-warn-of-new-go-based.html Cyber Criminals Using Quantum Builder Sold on Dark Web to Deliver Agent Tesla Malware https://thehackernews.com/2022/09/cyber-criminals-using-quantum-builder.html B.行動安全 / iPhone / Android /穿戴裝置 /App / 5G / 即時通訊 Experts Uncover 85 Apps with 13 Million Downloads Involved in Ad Fraud Scheme https://thehackernews.com/2022/09/experts-uncover-85-apps-with-13-million.html 強化智慧型手機資安 標檢局制定2項國家標準 https://www.economic-news.tw/news_content.php?id=7405 標準檢驗局制定智慧型手機系統內建軟體資通安全要求事項及測試方法國家標準，強化智慧型手機資通安全 https://www.bsmi.gov.tw/wSite/ct?xItem=102477&ctNode=8020&mp=8 為強化手機資安，經濟部標準檢驗局制訂內建軟體資安要求及測試方法標準 https://www.moea.gov.tw/Mns/populace/news/News.aspx?kind=1&menu_id=40&news_id=102862 數位理財時代選擇比努力更重要！選對App網銀資安不用賭人品 https://esg.ettoday.net/news/2339368?redirect=1 總安裝數高達 1300 萬次！資安團隊在 Google Play 與 Apple Store 發現詐欺型廣告軟體 https://www.inside.com.tw/article/29095-adware-on-google-play-and-apple-store-installed-13-million-times 這十款App連Apple都瞞過去！資安團隊：可從手機2關鍵看端倪 https://reurl.cc/leW0bY 研究人員於Google及蘋果App市集上發現逾80款詐騙程式 https://www.humansecurity.com/learn/blog/poseidons-offspring-charybdis-and-scylla 整合零信任防護服務，Cloudflare宣布在美國推出防堵手機門號挾持的SIM卡 https://www.businesswire.com/news/home/20220926005108/en/Cloudflare-Announces-the-First-Zero-Trust-SIM-for-Mobile-Devices---To-Better-Secure-Enterprises%E2%80%99-Corporate-Networks-and-Protect-Employees WhatsApp修補可被拿來打視訊電話的RCE漏洞 https://www.securityweek.com/two-remote-code-execution-vulnerabilities-patched-whatsapp 遺失手機內有重要資料 田寮警善用科技尋回 https://reurl.cc/O4N0kD C.事件 / 駭客 / DDOS / APT / 雲端/ 暗網/ 徵才 / 國際資安事件 / 資安人力 資安及國安　正視傳統資訊安全與人工智慧安全 https://www.setn.com/News.aspx?NewsID=1184096 樂善堂梁銶琚自稱「黑客」發道歉電郵：當時成功感完全蓋過了理性 https://www.hk01.com/article/820183?utm_source=01articlecopy&utm_medium=referral Twilio遭駭波及163家企業，背後很可能是一起針對身分驗證服務業者而來的大規模供應鏈攻擊 https://reurl.cc/bErzgo 英國警方逮捕涉嫌駭入 Uber、Rockstar 等公司的 17 歲駭侵者 https://www.twcert.org.tw/tw/cp-104-6562-528ee-1.html 攻擊Uber的駭客可能另有其人，有研究人員指出英國警方逮捕的青少年涉嫌發動相關攻擊 https://https//thehackernews.com/2022/09/london-police-arrested-17-year-old.html 駭客組織Metador鎖定中東與非洲的電信業者、ISP、大專院校發動攻擊 https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/ 美國商業媒體Fast Company遭駭，攻擊者以該媒體的名義推送色情與種族仇恨訊息 https://www.bleepingcomputer.com/news/security/hacker-shares-how-they-allegedly-breached-fast-company-s-site/ 烏克蘭警方逮捕竊取3千萬個帳號兜售的駭客組織成員 https://ssu.gov.ua/novyny/sbu-neitralizuvala-khakerske-uhrupovannia-yake-zlamalo-maizhe-30-mln-akauntiv-hromadian-ukrainy-ta-yes 烏克蘭提出警告，俄羅斯駭客即將針對盟國的關鍵基礎設施發起大規模網路攻擊 https://www.securityweek.com/ukraine-says-russia-planning-massive-cyberattacks-critical-infrastructure 微軟揭露北韓駭客集團Zinc正將眾多開源工具當作攻擊武器 https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/ 美國CIA使用的秘密情報通訊系統有缺陷，導致線人身分曝光 https://citizenlab.ca/2022/09/statement-on-the-fatal-flaws-found-in-a-defunct-cia-covert-communications-system/ Hackers Using Fake CircleCI Notifications to Hack GitHub Accounts https://thehackernews.com/2022/09/hackers-using-fake-circleci.html Researchers Uncover New Metador APT Targeting Telcos, ISPs, and Universities https://thehackernews.com/2022/09/researchers-uncover-new-metador-apt.html Void Balaur Hackers-for-Hire Targeting Russian Businesses and Politics Entities https://thehackernews.com/2022/09/void-balaur-hackers-for-hire-group-now.html London Police Arrested 17-Year-Old Hacker Suspected of Uber and GTA 6 Breaches https://thehackernews.com/2022/09/london-police-arrested-17-year-old.html Ukraine Says Russia Planning Massive Cyberattacks on its Critical Infrastructures https://thehackernews.com/2022/09/ukraine-says-russia-planning-massive.html North Korea's Lazarus Hackers Targeting macOS Users Interested in Crypto Jobs https://thehackernews.com/2022/09/north-koreas-lazarus-hackers-targeting.html Facebook Shuts Down Covert Political 'Influence Operations' from Russia and China https://thehackernews.com/2022/09/facebook-shuts-down-covert-political.html Researchers Uncover Covert Attack Campaign Targeting Military Contractors https://thehackernews.com/2022/09/researchers-uncover-covert-attack.html 數位資安工程師 https://job.taiwanjobs.gov.tw/Internet/jobwanted/JobDetail.aspx?EMPLOYER_ID=1003846&HIRE_ID=11465183 TCP-資訊安全管理系統經理 (外商公司，國際團隊) https://www.104.com.tw/job/7ddeg?jobsource=jolist_d_date Project Engineer https://www.linkedin.com/jobs/view/%E8%B3%87%E5%AE%89%E5%B7%A5%E7%A8%8B%E5%B8%AB-aeb-at-acer-3287822786/?originalSubdomain=tw D.資料外洩/個資法/GDPR/網路詐騙/網路釣魚/盜刷/假新聞/網路霸凌/帳號安全 Ukraine Arrests Cybercrime Group for Selling Data of 30 Million Accounts https://thehackernews.com/2022/09/ukraine-arrests-cybercrime-group-for.html Five Steps to Mitigate the Risk of Credential Exposure https://thehackernews.com/2022/09/five-steps-to-mitigate-risk-of.html Swachh City Platform Suffers Data Breach Leaking 16 Million User Records https://thehackernews.com/2022/09/swachh-city-platform-suffers-data.html Hackers Aid Protests Against Iranian Government with Proxies, Leaks and Hacks https://thehackernews.com/2022/09/hackers-aid-protests-against-iranian.html 網購500解酒液被騙逾68萬元　解除分期付款詐騙伎倆排名第二 https://n.yam.com/Article/20220925165683 澳星遭駭個資外洩 澳洲擬改變客戶隱私規定 https://www.rti.org.tw/news/view/id/2145565 疑為駭客者稱已刪澳星外洩個資 不再索取贖金 https://reurl.cc/4pzyER 會員個資外洩只肯給2千折價券　雄獅旅遊開「集體訴訟」先例 https://www.ctwant.com/article/209463 疑內鬼洩個資坑殺近3000會員　警擬助集體訴訟阻詐 https://www.ctwant.com/article/209461 博客來疑內部洩個資 逾3千會員遭詐累計財損破億 https://news.pts.org.tw/article/601792 "博客來"詐騙多風險居冠 不排除內鬼洩個資 https://news.cts.com.tw/cts/life/202209/202209272093304.html 狂收釣魚網址？台積都曾中毒停機 你該做的「零信任」4件事 https://udn.com/news/story/6841/6643201 為凸顯政府資安怠惰？駭客Bjorka單挑印尼政府狂掃13億筆個資 https://reurl.cc/kEeVYb 盜取開發者的GitHub帳號有新手法，攻擊者鎖定CI/CD平臺下手 https://www.bleepingcomputer.com/news/security/hackers-stealing-github-accounts-using-fake-circleci-notifications/ 澳洲大型電信業者Optus遭駭，逾900萬客戶資料外洩 https://www.ithome.com.tw/news/153244 澳洲大型電信業者Optus資料外洩，駭客疑遭執法單位盯上而宣稱刪除竊得資料 https://www.bleepingcomputer.com/news/security/optus-hacker-apologizes-and-allegedly-deletes-all-stolen-data/ 三星因今年發生的資料外洩事件遭客戶提出集體訴訟 https://www.securityweek.com/samsung-sued-over-recent-data-breaches 假冒美國國稅局名義的釣魚簡訊大幅增加 https://www.bleepingcomputer.com/news/security/irs-warns-americans-of-massive-rise-in-sms-phishing-attacks/ 軍事承包商遭秘密攻擊行動，駭客鎖定其員工發動網釣攻擊 https://www.securonix.com/blog/detecting-steepmaverick-new-covert-attack-campaign-targeting-military-contractors/ 快點購電商平臺稱遭駭客入侵，可能顧客個資外洩，提醒民眾當心詐騙 https://tw.news.yahoo.com/news/%E8%A9%90%E9%A8%99%E9%9B%86%E5%9C%98%E7%8C%96%E7%8D%97%E6%AC%B2%E5%85%A5%E4%BE%B5%E7%AB%8A%E5%8F%96%E6%B6%88%E8%B2%BB%E8%80%85%E8%B3%87%E6%96%99-%E5%BF%AB%E9%BB%9E%E8%B3%BC%E5%AE%98%E6%96%B9-%E5%B7%B2%E5%A0%B1%E8%AD%A6%E4%B8%A6%E5%BC%B7%E5%8C%96%E8%B3%87%E5%AE%89-082233707.html Auth0揭露2020年10月前的程式儲存庫外洩的安全事件，強調事件發生在Okta併購之前 https://auth0.com/blog/auth0-code-repository-archives-from-2020-d-earlier/ 呼籲民眾勿信投遞信箱的假禮券及QRCode，7-11澄清並未發送可領現金禮券2000元的活動 https://www.ettoday.net/news/20220929/2347729.htm 假冒5大電商詐騙 刑事局：ATM無解除設定功能 https://www.1111.com.tw/news/jobns/147854 資安風險 僅1成企業未曾資料外洩 https://reurl.cc/GE6mkv 趨勢科技公布四大最駭網路陷阱 網購詐騙居冠 https://udn.com/news/story/7239/6650403 犯罪集團盯上影音平台　釣魚網站數量季增132% https://www.digitimes.com.tw/tech/dt/n/shwnws.asp?cnlid=1&id=0000646193_QMN0D2TQLDNOMM2BIVRD7 E.研究報告/工具 2022 年第一季全球 34% 登入動作為憑證填充攻擊所為 https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10095 誰說資安寫不了情書-15(SIEM) https://ithelp.ithome.com.tw/articles/10298596?sc=iThelpR Day10 股東會年報案例分析9--矽格(6257) (產業別：上市，半導體) https://ithelp.ithome.com.tw/articles/10298128 鐵人賽（Day12) - 27001還沒刷*5 https://ithelp.ithome.com.tw/articles/10299510?sc=iThelpR 鐵人賽（Day 14)-總結27001的重要步驟 https://ithelp.ithome.com.tw/articles/10300852 雲端資安文件 https://hackmd.io/@aken1215/Bk4ptM5t_ 不對稱作戰 https://indsr.org.tw/focuslist?uid=3&page=384 網頁資安 https://hackmd.io/@yXDPgoLLQJ-Mtb9M52IJZQ/SkFlqljQt#/ 企業資安診測 https://hackmd.io/@doggy33/B1-enF4mw MFA疲勞轟炸攻擊日趨氾濫 https://www.securityweek.com/high-profile-hacks-show-effectiveness-mfa-fatigue-attacks 中國資訊戰騷擾也許是數位升級的絕佳契機 https://technews.tw/2022/09/30/chinese-information-war-harassment-may-be-the-perfect-opportunity-for-digital-upgrade/ KPMG發布2022臺灣企業資安曝險調查，供應鏈核心產業亟需加強網路防護 https://home.kpmg/tw/zh/home/media/press-releases/2022/09/kpmg-tw-released-cyber-risk-report-2022.html RSM & RPO License https://choson.lifenet.com.tw/?p=2132 Compile Mirai https://hackmd.io/@HsuYuSung/ByCXYgaVP/https%3A%2F%2Fhackmd.io%2FA6zMzjr5RnWVFbAzkU1ZMQ%3Fview Firing Your Entire Cybersecurity Team? Are You Sure https://thehackernews.com/2022/09/firing-your-entire-cybersecurity-team.html 5 Network Security Threats And How To Protect Yourself https://thehackernews.com/2022/09/5-network-security-threats-and-how-to.html Why Continuous Security Testing is a Must for Organizations Today https://thehackernews.com/2022/09/why-continuous-security-testing-is-must.html Top Cybersecurity Projects With Source Code https://naemazam.medium.com/top-cybersecurity-projects-with-source-code-4c06dc74ad9a How to upgrade/force upgrade React Native app https://appupgrade.medium.com/how-to-upgrade-force-upgrade-react-native-app-a989426c5b91 How I Found Multiple SQL Injections in 5 Minutes in Bug Bounty https://infosecwriteups.com/how-i-found-multiple-sql-injections-in-5-minutes-in-bug-bounty-40155964c498 Turning cookie-based XSS into Account Takeover https://tutorialboy24.medium.com/turning-cookie-based-xss-into-account-takeover-945b92aaf63a How to write eBPF programs with Golang https://blog.devgenius.io/how-to-write-ebpf-programs-with-golang-933d58fc5dba All about: IDORs https://sl4x0.medium.com/all-about-idors-890fcd3bf330 $600k Bounty, Jetty Features, Response Queue Poisoning, Bypass SSRF Protections, XSS Payloads, and much more https://infosecwriteups.com/600k-bounty-jetty-features-response-queue-poisoning-bypass-ssrf-protections-xss-9b7644077829 Why Civil Rights Groups are Pushing Back Against Amazon’s New Show https://momentum.medium.com/how-civil-rights-groups-are-pushing-back-against-amazons-new-show-e1cb5c8cf634 How To Attack Admin Panels Successfully https://infosecwriteups.com/how-to-attack-admin-panels-successfully-72c90eeb818c 10 Python Scripts for Automating Your Daily Problems https://python.plainenglish.io/10-python-scripts-for-automating-your-daily-problems-91df7fedebab F.商業 Google to Make Account Login Mandatory for New Fitbit Users in 2023 https://thehackernews.com/2022/09/google-to-make-account-login-mandatory.html Improve your security posture with Wazuh, a free and open source XDR https://thehackernews.com/2022/09/improve-your-security-posture-with.html 資安威脅從四面八方而來，企業應從這3個面向佈建資安防護措施 https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10087 Check Point Horizon 以防禦為優先，全面提升企業網路、雲端和端點防護力 https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10085 SaaS配置錯誤恐釀嚴重資安威脅! Palo Alto Networks提SSPM 安全狀況管理 https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10086 中高階經理需要的數位轉型建議，從 0 到 1都在《科技報橘》 https://reurl.cc/8payz7 趨勢科技 呼籲防範黑暗元宇宙及網路與實體結合的資安威脅 https://turnnewsapp.com/livenews/tech/A07657002022092609520161 防詐騙、資安威脅，趨勢科技「元宇宙資安部門」瞄準哪兩大領域搶先布局 https://www.bnext.com.tw/article/71827/trend-micro-metaverse-security-blockchain-vr-ar-2022 中華電信攜手中華資安國際　共助企業提升台灣資安力 https://www.ettoday.net/news/20220921/2345897.htm?redirect=1 TeamT5推防勒索訂製服務 https://www.eettaiwan.com/express/20220926np21/ 程式碼安全軟體廠商WhiteSource更名為Mend https://www.mend.io/product-info/news/whitesource-rebrands-as-mend-introduces-industry-first-automated-remediation-with-the-mend-application-security-platform/ SD-WAN潛藏資安風險　資安廠秀解決方案 https://www.eettaiwan.com/20220928nt11-sd-wan-total-solution-from-companies/ 推動開發人員重視資安，叡揚舉辦首屆安全程式開發競賽 https://times.hinet.net/news/24163357 G.政府 打造可信賴的供應鏈，數位部產業署率泰馬廠商參訪沙崙資安服務基地 https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10094 2年發展多元異質網路因應大規模斷訊，更要確保社會和產業數位韌性 https://www.ithome.com.tw/news/153212 打造可信賴的供應鏈，數位部產業署率泰馬廠商參訪沙崙資安服務基地 https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10094 數位部產業署率廠商到台南實地參訪工控資安展示 https://www.eettaiwan.com/20220927nt22-industrial-control-and-cybersecurity/ 總統監誓 新任政務人員唐鳳丶闕河鳴等人今完成宣誓 https://www.chinatimes.com/realtimenews/20220926001969-260407?chdtv 黑客松頒獎 蔡英文：激盪更多公共政策火花 https://reurl.cc/3YnNy0 中科院機密未設防 被滅證急補漏洞 https://udn.com/news/story/7320/6639974 中科院技師下載雄三機密私有 被搜索前竟刪資料遭判刑 https://www.chinatimes.com/realtimenews/20220925003072-260402?ctrack=pc_main_rtime_p04&chdtv 中科院技師下載軍事機密，並在被逮捕前刪除相關資料 https://udn.com/news/story/7320/6639973 中山科學研究院技師下載軍事機密，並在被逮捕前刪除相關資料 https://udn.com/news/story/7320/6639973 軍情首長情資連環爆 兩岸諜戰新常態 https://www.chinatimes.com/amp/newspapers/20220926000269-260118 重大網路服務攻擊事件—資安處理參考指引 https://www.ydn.com.tw/news/newsInsidePage?chapterID=1535486 國防院參與「臺灣資安大會CYBERSEC 2022」 唐所長分享「網路安全成熟度模型認證（Cybersecurity Maturity Model Certification, CMMC）」議題 https://indsr.org.tw/information?uid=7&pid=2191 針對營業秘密外洩事件防治，行政院通過智慧財產案件審理法 https://tw.news.yahoo.com/%E7%87%9F%E6%A5%AD%E7%A7%98%E5%AF%86%E4%B8%8D%E5%A4%96%E6%B4%A9-%E6%94%BF%E9%99%A2%E9%80%9A%E9%81%8E%E6%99%BA%E6%85%A7%E8%B2%A1%E7%94%A2%E6%A1%88%E4%BB%B6%E5%AF%A9%E7%90%86%E6%B3%95-082604956.html 公立大學校園仍藏中國「海康威視」身影　台鐵電子看板事件懲處依舊無下文 https://www.cmmedia.com.tw/home/articles/36318 招牌廣告(電視牆、電腦顯示板)資通安全管理指引 https://reurl.cc/60myAy H.工控系統/ICS/SCADA/IOT/物聯網/車聯網/電動車/人工智慧/AI/ML/人臉辨識/醫療 相關資安 台灣汽車電子產業起飛　汽車資安將成新戰場 https://www.digitimes.com.tw/iot/article.asp?id=0000645750_9TX6LAX46QY625LAJU9NH Claroty 全新報告 2021全球工業網路安全的態勢：面臨危機的應變能力 https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10093 歐盟通過AI責任指令，規範AI為資訊安全帶來的責任與損害影響 https://ec.europa.eu/commission/presscorner/detail/en/ip_22_5807 施耐德電機修補一年多前披露的嚴重漏洞CVE-2021-22779 https://www.securityweek.com/details-disclosed-after-schneider-electric-patches-critical-flaw-allowing-plc-hacking?&web_view=true 更上一層樓 普萊德取得IEC 62443-4-1產品安全開發管理系統認證 https://ctee.com.tw/livenews/aj/ctee/a79455002022092719462027 提升研發能量與物聯裝置韌性 是強化資訊安全防護的關鍵 http://www.ctimes.com.tw/DispArt-tw.asp?O=HK69S6QRBR8ARASTD1 晶片資安需求升級，資策會三大軸線協防半導體供應鏈安全 https://www.inside.com.tw/article/29125-iii-sc TP-Link Tapo c200 1.1.15 - Remote Code Execution (RCE) https://www.exploit-db.com/exploits/51017 Buffalo TeraStation Network Attached Storage (NAS) 1.66 - Authentication https://www.exploit-db.com/exploits/51012 I.教育訓練 iPAS資訊安全工程師中級筆記 https://hackmd.io/@Not/iPASInformationSecuritySpecialist iPas資安工程師證照考前研習 https://reurl.cc/GEbA3p Coursera 盤點 7 項雲端資安認證，高薪跳板都在這了！ https://buzzorange.com/techorange/2022/07/12/cloud-security-certificates/ 全球網絡安全勞動力失衡 (ISC)2免費課程及考試填補人才缺口 https://reurl.cc/m39MDj CISSP考試心得 https://reurl.cc/KbY83j CISSP考試心得 – Benson https://reurl.cc/GbWvxd 目標導向-20天光速考過CISSP https://reurl.cc/2Zq6zn CISSP證照考試實戰心得 第一章：初期準備工作 https://netmag.tw/2022/06/17/the-cissp-has-learned-the-first-chapter-in-actual-combat CPSA(CREST Practitioner Security Analyst) 資安分析師考試心得 https://tech-blog.cymetrics.io/posts/huli/crest-cpsa-prepare/ EC-Council CEH v11 考試心得、改版資訊以及準備方向 2021、2022 https://reurl.cc/1oyEM8 CEH v11 考試心得與準備方式 https://blog.sean.taipei/2022/01/ceh 深度解析 CPENT 考試心得、以及與 OSCP 的比較 https://reurl.cc/41eL8v EC-Council CPENT v1 滲透測試認證 – 內容及心得分享 https://hackercat.org/pentesting/ec-council-cpent-v1-experience-review [備考心得]CompTIA Security+ (SY0–601) 上篇 https://reurl.cc/M053DK [備考心得]CompTIA Security+ (SY0–601) 下篇 https://reurl.cc/M053Gv 不只是工程師才要懂的 App 資訊安全：取得資安檢測合格證書血淚史（iT邦幫忙鐵人賽系列書） https://news.pchome.com.tw/living/books/20220202/index-64375841669874292009.html Learn NIST Inside Out With 21 Hours of Training @ 86% OFF https://thehackernews.com/2022/06/learn-nist-inside-out-with-21-hours-of.html 駭客與國家: 網路攻擊與地緣政治新常態 The hacker and the state: cyber attacks and the new normal of geopolitic https://reurl.cc/D3nKKj Practical Network Penetration Tester (PNPT) Certification Review https://tmc222.medium.com/practical-network-penetration-tester-pnpt-certification-review-4280e4e164df WUSON常用的基本詞彙 https://choson.lifenet.com.tw/?p=1958 我國網路資安狂被駭 監委申請自動調查 https://www.chinatimes.com/realtimenews/20220810003152-260407?chdtv 6.近期資安活動及研討會 OCF 培訓活動: 如何建立安全的網路架構 2022/10/1 https://ocftw.kktix.cc/events/ocftot2022 Blue Team Summit & Training 2022 2022/10/3 ~ 2022/10/10 https://www.sans.org/cyber-security-training-events/blue-team-summit-2022/?msc=free-events-mlp 數位轉型浪潮下資安新思維與布局 2022/10/6 https://www.accupass.com/event/2209210154443572722760 資安演訓實作課程－零信任網路PKI認證及安全晶片信任根應用 2022/10/7 https://www.acw.org.tw/News/Detail.aspx?id=3258 MOPCON 2022 2022/10/15 ~ 2022/10/16 https://mopcon.org/ 金融資安案例研習 2022/10/17 https://www.sitca.org.tw/OPF/B0000/PPT049_2022_01.asp Kubernetes Summit 2022 2022/10/18 ~ 2022/10/19 https://k8s.ithome.com.tw/ CISCO 資安講堂 2022/10/21 https://www.accupass.com/event/2209281120037267603420 資安情蒐暨資安政策趨勢研討會—以半導體供應鏈為核心 2022/10/25 https://stli.iii.org.tw/news-event.aspx?no=16&d=1177 CODE BLUE 2022 @TOKYO 2022/10/27 ~ 2022/10/28 https://codeblue.jp/2022/en/ 資訊安全與人工智慧實作 2022/10/28 https://www.cisanet.org.tw/Course/Detail/2867 資訊安全發展趨勢| 數位社會與資訊安全 - 董監事系列認證課程 2022/11/5 https://www.accupass.com/event/2208120843261385349231 行動應用APP 安全檢測（APK/IPA）2022-11-18 09:00 ~ 2022-11-18 12:00 https://www.cisanet.org.tw/Course/Detail/2865 ICS 2022 WORKSHOP PROGRAM -「Ubiquitous Cybersecurity and Forensics」 2022/12/15 ~ 2022/12/17 https://ics2022.esam.io/ TANET 2022 WORKSHOP PROGRAM -「第二屆數位鑑識、醫療私密與網駭安全」 2022/12/15 ~ 2022/12/17 https://tanet2022.esam.io/