資安事件新聞週報 2022/10/10 ~ 2022/10/14

###### tags: `資安事件新聞週報` # 資安事件新聞週報 2022/10/10 ~ 2022/10/14 1.重大弱點漏洞/後門/Exploit/Zero Day Hackers Exploiting Unpatched RCE Flaw in Zimbra Collaboration Suite https://thehackernews.com/2022/10/hackers-exploiting-unpatched-rce-flaw.html Zimbra修補已出現攻擊行動的RCE漏洞 https://www.rapid7.com/blog/post/2022/10/06/exploitation-of-unpatched-zero-day-remote-code-execution-vulnerability-in-zimbra-collaboration-suite-cve-2022-41352/ 電子郵件系統Zimbra尚未修補的RCE漏洞已出現攻擊行動 https://www.rapid7.com/blog/post/2022/10/06/exploitation-of-unpatched-zero-day-remote-code-execution-vulnerability-in-zimbra-collaboration-suite-cve-2022-41352/ 微軟發佈10月份安全性公告 https://www.cisa.gov/uscert/ncas/current-activity/2022/10/11/microsoft-releases-october-2022-security-updates 針對7月被揭露的勒索軟體LockBit攻擊事故，駭客疑似利用新的零時差漏洞入侵Exchange，但有資安專家認為攻擊者利用的漏洞是ProxyNotShell https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-lockbit-ransomware/ 微軟發布10月份例行更新，但眾所關注的ProxyNotShell修補並未一起釋出 https://www.bleepingcomputer.com/news/microsoft/microsoft-october-2022-patch-tuesday-fixes-zero-day-used-in-attacks-84-flaws/ Microsoft Issues Improved Mitigations for Unpatched Exchange Server Vulnerabilities https://thehackernews.com/2022/10/microsoft-issues-improved-mitigations.html Microsoft Patch Tuesday Fixes New Windows Zero-Day; No Patch for Exchange Server Bugs https://thehackernews.com/2022/10/microsoft-patch-tuesday-fixes-new.html 針對Fortinet CVE-2022-40684漏洞的PoC已經出現 https://thehackernews.com/2022/10/poc-exploit-released-for-critical.html Fortinet修補防火牆、網頁安全閘道RCE漏洞，但先私下通知部分用戶 https://www.ithome.com.tw/news/153533 Fortinet 警告管理員立即修補關鍵的身份驗證繞過錯誤 https://www.bleepingcomputer.com/news/security/fortinet-warns-admins-to-patch-critical-auth-bypass-bug-immediately/ Fortinet Warns of New Auth Bypass Flaw Affecting FortiGate and FortiProxy https://thehackernews.com/2022/10/fortinet-warns-of-new-auth-bypass-flaw.html Fortinet Warns of Active Exploitation of Newly Discovered Critical Auth Bypass Bug https://thehackernews.com/2022/10/fortinet-warns-of-active-exploitation.html PoC Exploit Released for Critical Fortinet Auth Bypass Bug Under Active Attacks https://thehackernews.com/2022/10/poc-exploit-released-for-critical.html 沙箱元件vm2存在重大漏洞Sandbreak，可被用於RCE攻擊 https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067 Researchers Detail Critical RCE Flaw Reported in Popular vm2 JavaScript Sandbox https://thehackernews.com/2022/10/researchers-detail-critical-rce-flaw.html Cisco 近日發布更新以解決多個產品的安全性弱點 https://www.cisa.gov/uscert/ncas/current-activity/2022/10/06/cisco-releases-security-updates-multiple-products 資安廠商踢爆VMware vCenter Server漏洞拖了快1年仍修不好，最新推出的vSphere 8仍無法倖免 https://www.bleepingcomputer.com/news/security/vmware-vcenter-server-bug-disclosed-last-year-still-not-patched/ SAP發布10月份例行修補公告，緩解兩個CVSS風險評分達9.6分的漏洞 https://www.securityweek.com/sap-patches-critical-vulnerabilities-commerce-manufacturing-execution-products Aruba針對SD-WAN系統修補3個網頁管理介面的重大漏洞 https://www.bleepingcomputer.com/news/security/aruba-fixes-critical-rce-and-auth-bypass-flaws-in-edgeconnect/ Google發布電腦版Chrome 106.0.5249.119，修補6個高風險漏洞 https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_11.html 2.銀行/金融/保險/證券/支付系統/金融監理新聞及資安金融科技駭客事件再添新案例受災戶集中在歐洲 https://www.technice.com.tw/cloudtech/infosecurity/19808/ 銀行當機出包 30分鐘內要通報金管會 https://www.chinatimes.com/realtimenews/20221012003639-260410?chdtv AI透過拍攝手機、ATM表面的熱成像照片，20秒內就可以破解你的密碼，成功率高達86% https://www.techbang.com/posts/100740-heat-password-crack 中國銀保監會出手新設小額網貸全面叫停 https://www.worldjournal.com/wj/story/121347/6683223 加速數位轉型，第一金證成立數位發展事業群 http://www.investor.com.tw/onlineNews/NewsContent.asp?articleNo=14202210130027 玉山安永科技論壇聚焦企業資安應變管理與布局關鍵 https://reurl.cc/zN30be 集保結算所股務4e服務攜手共創數位新未來 https://news.cnyes.com/news/id/4978389 駭客組織LofyGang鎖定開發者發動供應鏈攻擊，目標為信用卡資料 https://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year/ LofyGang Distributed ~200 Malicious NPM Packages to Steal Credit Card Data https://thehackernews.com/2022/10/lofygang-distributed-200-malicious-npm.html 澳洲Medibank保險公司遭網路攻擊，調查未經授權存取事件並關閉多項服務 https://www.itnews.com.au/news/medibank-takes-systems-offline-after-cyber-incident-586417?utm_source=feed&utm_medium=rss&utm_campaign=iTnews+Technology+feed 當心駭客利用網釣結合語音手法誘騙受害者安裝Android金融木馬的新趨勢，已有義大利網路銀行被鎖定 https://www.threatfabric.com/blogs/toad-fraud.html 3.電子支付/行動支付/pay/資安行動支付為何無法取代現金？和電子支付差在哪？「1關鍵」讓台灣人愛用現金 https://reurl.cc/m38ax1 後疫情時代電子支付百百種　中華電信多元付款一機搞定 https://www.ettoday.net/news/20221011/2346493.htm 台中捷運行動支付招標便利搭車再升級 https://reurl.cc/dWNRaV 新北幣遭批花五千萬沒效資訊中心：首創整合行動支付 https://udn.com/news/story/7323/6667470 港媒：PayPal停社民連帳戶指風險過高 https://udn.com/news/story/7331/6683296 8月全支付會員衝47萬推升電支破1850萬人 https://reurl.cc/ERxkQ0 AlipayHK新接入韓國、新加坡　覆蓋12萬韓國商戶 https://reurl.cc/m38ak9 電子支付車資反遭控坐霸王車真相大白小黃運將慘了 https://udn.com/news/story/7320/6671524 黑龍江男子偷換藥房電子支付收款碼騙財店長：很氣憤 https://reurl.cc/5pjebv 電子支付大戰誰會勝出 https://reurl.cc/60oWbb 僵屍電子支付帳號來襲 https://talk.ltn.com.tw/article/paper/1543558 狂閃退！「超級悠遊卡」上線一天加值「出槌」 https://reurl.cc/zN30Qy SuperCard超級悠遊卡開賣！一次可刷1萬元、用手機也能加值，怎麼做 https://www.bnext.com.tw/article/71985/easycard-nfc-supercard-2022 Google Pixel 7 系列臉部解鎖安全度不足！將不支援電子支付認證 https://reurl.cc/3YgGkl 4.加密貨幣/數位貨幣/挖礦/區塊鍊/智能合約/WEB3 資安 Hackers Steal $100 Million Cryptocurrency from Binance Bridge https://thehackernews.com/2022/10/hackers-steal-100-million.html No KYC Crypto Exchanges — Buy Crypto without KYC https://medium.com/coinmonks/no-kyc-crypto-exchanges-buy-crypto-without-kyc-3b2eda2b5397 自己投90%贊成！Mango駭客提案用金庫7000萬鎂償還壞帳，通過即歸還部分贓款 https://www.surviews.com/post/5676.html 十天6起安全事故，損失金額超8億美元，鏈上安全何時解決 https://news.cnyes.com/news/id/4977353 Coinbase 最新紀錄片《Coin: A Founder’s Story》值得一看嗎 https://blockcast.it/2022/10/12/coin-a-founders-story-why-its-worth-watching/ 科普｜比特幣私鑰有多安全？網上販賣「暴力猜測器」萬年才能解 https://reurl.cc/QbrzrM Chainalysis示警，加密貨幣遭駭客竊取規模今年恐創紀錄新高 https://reurl.cc/W16l59 Transit Finance發布竊盜案100%退款方案，駭客已歸還83%贓款 https://www.blocktempo.com/updates-about-transit-finance-attack/ 加密貨幣遭駭客竊取規模今年勢創紀錄現已累計被竊超過30億美元 https://reurl.cc/W16lpL 今年以來加密貨幣已被盜逾30億美元全年規模料創紀錄新高 https://news.cnyes.com/news/id/4978101 FTX 遭受 Gas 竊取攻擊，駭客零成本鑄造 XEN 代幣 1.7 萬次 https://www.owlting.com/news/articles/186802 2022加密貨幣攻擊已損23億鎂！immunefi：駭客偏愛BNB Chain、以太坊 https://www.blocktempo.com/immunefi-published-crypto-losses-q3-2022-report/ Mango 被盜 1 億美元：一場利用閃電貸和 DAO 治理的雙重攻擊 https://blockcast.it/2022/10/13/solana-defi-protocol-mango-markets-loses-117m-in-hack/ 攻擊分析｜Mango 遭吸乾 1.16 億全步驟拆解，攻擊預言機漏洞再做空 https://www.surviews.com/post/5685.html 資安行不行？今年幣圈被盜近千億 https://ec.ltn.com.tw/article/breakingnews/4088156 鏈習生幣圈日報 2022.10.13｜十分鐘掌握全球區塊鏈及加密貨幣新聞 https://reurl.cc/9pe2dx 幣安跨鏈橋遭駭，被盜走1億美元資產 https://www.ithome.com.tw/news/153528 報告：加密投資者更願意在CEX上持有資產 https://news.cnyes.com/news/id/4978608 無聊猿NFT釣魚案｜警方靠加密偵探 ZachXBT 推特研究，逮到5名嫌犯 https://www.blocktempo.com/french-police-use-zachxbt-s-research-to-arrest-five-nft-scammer/ ETHW 生態發展現狀：社群熱度攀升、入場資金較少 https://blockcast.it/2022/10/14/ethpows-latest-development/ 比特幣ATM負責人被抓！台北頂好西門町的 BTM 被詐騙集團當洗錢水房 https://www.blocktempo.com/first-btm-money-laundering-case-in-taiwan/ 一名15歲加密貨幣駭客同意向受害者支付2200萬美元賠償 https://news.cnyes.com/news/id/4979646?exp=a 數位人民幣8月底累計交易逾千億人民幣，人行將鞏固法償性地位 https://reurl.cc/kExmpL 澳門完成討論貨幣發行制度草案，擬將數字貨幣納入法定貨幣 https://news.cnyes.com/news/id/4979591 歐洲人也能用比特幣買麥當勞了！一文掌握加密貨幣發展：薩爾瓦多後來怎麼了 https://reurl.cc/qN7ypy 5.資安事件新聞 A.病毒木馬 / 殭屍網路 / 勒索軟體 / Adware /APT /後門程式/IOC 新惡意軟體Maggie已感染超過 250 台微軟 SQL 伺服器 https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10116 可繞過1000多個EDR產品！勒索軟體BlackByte使用「自帶驅動程式」技術 https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10115 七成以上台灣企業供應鏈曾遭勒索病毒襲擊 https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10112 四份一曾遭勒索程式襲擊的醫療機構被迫全面停運 https://times.hinet.net/mobile/news/24189913 Akamai 2022 年上半年亞太及日本區勒索軟體報告 https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10107 微軟Cyber Signals研究：勒索軟體經濟快速崛起演變為新商業模式 https://www.techbang.com/posts/99312-microsoft-cyber-signals-research-the-rapid-rise-of-the 以色列組織遭到駭客組織Polonium鎖定，被植入多種後門程式 https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/ 駭客以推送NFT錢包Phantom更新為由散布惡意軟體 https://www.bleepingcomputer.com/news/security/fake-solana-phantom-security-updates-push-crypto-stealing-malware/ 假的勒索軟體透過色情圖片散布，且可能會抹除受害電腦硬碟資料 https://blog.cyble.com/2022/10/06/fake-ransomware-infection-under-widespread/ 勒索軟體Black Basta透過滲透測試工具Brute Ratel C4入侵受害組織 https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html 語音網釣攻擊結合安卓惡意軟體，鎖定義大利銀行用戶而來 https://www.threatfabric.com/blogs/toad-fraud.html 目標式勒索攻擊：製造業榜首 https://www.netadmin.com.tw/netadmin/zh-tw/snapshot/763DAC733AC54415A0438FB5DC1ADC28 Cryptojacking campaign detected in the wild https://www.bitdefender.com/files/News/CaseStudies/study/424/Bitdefender-PR-Whitepaper-SLOneDriveCyberJack-creat6318-en-EN.pdf Deep Analysis of Snake Keylogger https://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html BlackByte Ransomware Abuses Vulnerable Windows Driver to Disable Security Solutions https://thehackernews.com/2022/10/blackbyte-ransomware-abuses-vulnerable.html Researchers Detail Malicious Tools Used by Cyber Espionage Group Earth Aughisky https://thehackernews.com/2022/10/researchers-detail-malicious-tools-used.html 出現鎖定Mac、Linux與Windows的全新中文C2攻擊框架 https://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html New Chinese Malware Attack Framework Targets Windows, macOS, and Linux Systems https://thehackernews.com/2022/10/new-chinese-malware-attack-framework.html Modified WhatsApp App Caught Infecting Android Devices with Malware https://thehackernews.com/2022/10/modified-whatsapp-app-caught-infecting.html New Report Uncovers Emotet's Delivery and Evasion Techniques Used in Recent Attacks https://thehackernews.com/2022/10/new-report-uncovers-emotets-delivery.html Mirai Botnet Hits Wynncraft Minecraft Server with 2.5 Tbps DDoS Attack https://thehackernews.com/2022/10/mirai-botnet-hits-wynncraft-minecraft.html B.行動安全 / iPhone / Android /穿戴裝置 /App / 5G / 即時通訊 400個手機App竊取百萬用戶臉書帳號資料 https://about.fb.com/news/2022/10/protecting-people-from-malicious-account-compromise-apps/ Facebook Detects 400 Android and iOS Apps Stealing Users Log-in Credentials https://thehackernews.com/2022/10/facebook-detects-400-android-and-ios.html iPhone 共享相簿邀請廣告要如何封鎖？4招防止廣告詐騙教學 https://mrmad.com.tw/iphone-shared-album-invitation-anti-blocking 臉書全網哀號！名律師曝追蹤數「被砍80萬」專家曝原因 https://www.chinatimes.com/realtimenews/20221012004118-263301?chdtv 研究指 iOS 16 多數蘋果原廠應用會繞過 VPN，連 Android 系統也這樣 https://today.line.me/tw/v2/article/2Deqwk8 Google修補42個Android漏洞，其中3個為涉及高通無線模組的重大漏洞 https://www.malwarebytes.com/blog/news/2022/10/vulnerabilities-in-google-android-could-allow-for-arbitrary-code-execution Android與Chrome今年將支援Passkey功能，無密碼時代近了 https://www.ithome.com.tw/news/153615 C.事件 / 駭客 / DDOS / APT / 雲端/ 暗網/ 徵才 / 國際資安事件 / 資安人力全球資安威脅童子賢：台灣無法置身事外 https://ec.ltn.com.tw/article/breakingnews/4086908 美禁高階晶片輸中童子賢：兩大經濟體碰撞須小心面對 https://news.cnyes.com/news/id/4977232 資安需求已擴大，面對人才供給的挑戰，培育方向要更寬廣，不只重實務還要考量各種資安人才的養成 https://www.ithome.com.tw/news/153614 實現人盡其才，如何用才很重要 https://www.ithome.com.tw/news/153619 資安你我有責，不只是資安人才的事 https://times.hinet.net/news/24193850 TB級DDoS攻擊頻繁，臺灣第三季遭受攻擊流量增加20倍，網路媒體與網路產業最嚴重 https://blog.cloudflare.com/cloudflare-ddos-threat-report-2022-q3/ 私有NPM套件被用於計時攻擊 https://blog.aquasec.com/private-packages-disclosed-via-timing-attack-on-npm New Timing Attack Against NPM Registry API Could Expose Private Packages https://thehackernews.com/2022/10/new-timing-attack-against-npm-registry.html 黑客假扮IT部門狂發MFA驗證令員工跪低 https://www.wepro180.com/1014_mfa/ 美擬全面禁售華為、中興等中企新設備 https://reurl.cc/ZbKD4a 英媒：中共執迷「控制」有驚人「治台計劃」 https://www.soundofhope.org/post/661524?lang=b5 逾10座美國機場的網站傳出遭俄羅斯駭客Killnet癱瘓 https://www.ithome.com.tw/news/153546 遭親俄駭客網攻美機場服務當機 https://reurl.cc/AOVoo3 為採購烏克蘭自產無人機　基金會募款7小時破1.8億 https://www.ctwant.com/video/5133 無懼中共威脅烏克蘭議員預計10月底訪台 https://www.soundofhope.org/post/661503?lang=b5 烏克蘭資安長Victor Zhora：如何面對真實戰爭+資訊戰的混合攻擊局面 https://netmag.tw/2022/10/12/ukrainian-minister-victor-zhora-and-radware-talk-about-a-growing-cyber-attack-on-the-country Budworm Hackers Resurface with New Espionage Attacks Aimed at U.S. Organization https://thehackernews.com/2022/10/budworm-hackers-resurface-with-new.html 英特爾證實Alder Lake處理器的BIOS原始碼外洩，但宣稱資料供漏洞懸賞所用 https://www.tomshardware.com/news/intel-confirms-6gb-alder-lake-bios-source-code-leak-new-details-emerge Intel Confirms Leak of Alder Lake BIOS Source Code https://thehackernews.com/2022/10/intel-confirms-leak-of-alder-lake-bios.html New PHP Version of Ducktail Malware Hijacking Facebook Business Accounts https://thehackernews.com/2022/10/new-php-version-of-ducktail-malware.html 國際業務專案管理師 https://www.104.com.tw/job/7sd52 資安文字客服專員 https://reurl.cc/0XALjk D.資料外洩/個資法/GDPR/網路詐騙/網路釣魚/盜刷/假新聞/網路霸凌/帳號安全 Hackers Can Use 'App Mode' in Chromium Browsers' for Stealth Phishing Attacks https://thehackernews.com/2022/10/hackers-can-use-app-mode-in-chromium.html Researchers Warn of New Phishing-as-a-Service Being Used by Cyber Criminals https://thehackernews.com/2022/10/researchers-warn-of-new-phishing-as.html 64,000 Additional Patients Impacted by Omnicell Data Breach - What is Your Data Breach Action Plan https://thehackernews.com/2022/10/64000-additional-patients-impacted-by.html BazarCall Call Back Phishing Attacks Constantly Evolving Its Social Engineering Tactics https://thehackernews.com/2022/10/bazarcall-callback-phishing-attacks.html 孫維德觀點：民間網友已成為打擊網路詐騙的重大力量 https://www.storm.mg/article/4550477?page=1 參選人可以花錢買新聞？「置入性行銷」也是種假訊息？陳炳宏：只要用錢砸，新聞就出現了 https://tfc-taiwan.org.tw/articles/8305 汽車大廠Toyota不慎把車輛管理系統的金鑰公開在GitHub上，恐外洩近30萬用戶資料 https://global.toyota/jp/newsroom/corporate/38095972.html 威剛傳出資料外洩，但該公司表示駭客掌握的是一年前事故的資料 https://www.bleepingcomputer.com/news/security/adata-denies-ransomhouse-cyberattack-says-leaked-data-from-2021-breach/ 遊戲業者2K客服系統遭駭，玩家個資流入地下論壇 https://www.bleepingcomputer.com/news/security/2k-games-warns-users-their-stolen-data-is-now-up-for-sale-online/ 澳洲IT服務業者Dialog遭駭，客戶及員工資料恐外洩 https://www.ithome.com.tw/news/153567 刑事警察局公告高風險賣場，生活市集入榜五周，近兩周最嚴重 https://www.facebook.com/165bear/posts/472618001575929 新的Caffeine網釣攻擊工具訂閱服務更加明目張膽，駭客架設公開網站供買家下單 https://www.mandiant.com/resources/blog/caffeine-phishing-service-platform 鎖定美國小型企業的COVID-19補助網釣攻擊升溫，駭客濫用Google表單騙取受害者資料 https://www.inky.com/en/blog/fresh-phish-small-business-covid-19-grants-designed-for-disaster 又出現新的網釣攻擊套件租賃服務Caffeine，開放註冊的特性將讓攻擊門檻更低 https://www.mandiant.com/resources/blog/caffeine-phishing-service-platform 媽祖盃全國馬拉松路跑遭駭　官方緊急網站加密並呼籲別受騙 https://www.watchmedia01.com/fnews-20221014020630.html 北港媽祖盃馬拉松報名網站遭駭　官方即時簡訊呼籲防詐 https://n.yam.com/Article/20221013164070 喻虹淵慘遭友詐3447萬手機號碼也被盜急喊：還我清白 https://www.chinatimes.com/amp/realtimenews/20221013005688-260404 防疫紓困訊息詐騙多電子支付疑洩個資 https://reurl.cc/bEQMNo E.研究報告/工具找駭客？Let's Go! Day08 日本女性資安社群 CTF4GIRLS https://ithelp.ithome.com.tw/articles/10297165 [複習] 資安定義、工程及網路 https://ithelp.ithome.com.tw/articles/10307532 The essentials of GRC and cybersecurity — How they empower each other https://thehackernews.com/2022/10/the-essentials-of-grc-and-cybersecurity.html The Latest Funding News and What it Means for Cyber Security in 2023 https://thehackernews.com/2022/10/the-latest-funding-news-and-what-it.html Does the OWASP Top 10 Still Matter https://thehackernews.com/2022/10/does-owasp-top-10-still-matter.html Lazarus Group Uses the DLL Side-Loading Technique (mi.dll) https://asec.ahnlab.com/en/39828/ How To Attack Admin Panels Successfully https://infosecwriteups.com/how-to-attack-admin-panels-successfully-72c90eeb818c How to Make Money with Web Scraping Using Python https://medium.com/geekculture/how-to-make-money-with-web-scraping-using-python-b09546e0e08d Passive Income in Cyber Security — How to guide https://taimurcloud123.medium.com/passive-income-in-cyber-security-how-to-guide-e437fb9a8f34 Passive Income in Cyber Security — Part 2 https://taimurcloud123.medium.com/passive-income-in-cyber-security-part-2-f7066504a47b Exploratory Data Analysis of Hotel booking demand — A Case Study https://medium.com/@itssouravshrivas/exploratory-data-analysis-of-hotel-booking-demand-a-case-study-4a27bff589ca Difference between BOM and DOM in JavaScript https://medium.com/geekculture/difference-between-bom-and-dom-in-javascript-5c8317c5c1d2 Principles of Writing Automated Tests https://adequatica.medium.com/principles-of-writing-automated-tests-a2b72218264c Backend Basics: RESTful API (API, REST, Methods, JSON, Examples) https://medium.com/altogic/backend-basics-restful-api-api-rest-methods-json-examples-429744ba0831 The Only Guide You’ll Need for CyberChess — plus How To Get Free Heroes & Skills https://medium.com/binaryx-gamefi/cyberchess-beginners-guide-and-tutorial-with-limited-140-gift-code-from-binaryx-fdeeb052392a How I Found Multiple SQL Injections in 5 Minutes in Bug Bounty https://infosecwriteups.com/how-i-found-multiple-sql-injections-in-5-minutes-in-bug-bounty-40155964c498 How I Build my own CI/CD Pipeline for Python Apps https://medium.com/codex/how-i-build-my-own-ci-cd-pipeline-for-python-apps-98bb1cd5d13c EXPLOITING OS COMMAND INJECTION VULNERABILITIES https://infosecwriteups.com/exploiting-os-command-injection-vulnerabilities-14195c9a410b How To Build a Career as a Freelance Cybersecurity Analyst — From Scratch https://thehackernews.com/2022/10/how-to-build-career-as-freelance.html F.商業 VMware 助關貿網路打造 T-Cloud 關貿雲服務 https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10108 研華攜手慧景通過VPC資安認證 https://reurl.cc/eOR1rQ 微軟 Ignite 大會：推出多種工具、產品和服務協助客戶提高效率和生產力 https://news.microsoft.com/zh-tw/microsoft-ignite/ 叡揚分享資安、雲端、智能解決方案 https://wantrich.chinatimes.com/news/20221014900122-420101 Google針對軟體供應鏈推出安全解決方案Software Delivery Shield https://www.ithome.com.tw/news/153589 Samsung 和 Google 將合力簡化初次設定 Matter 家居產品的流程 https://chinese.engadget.com/samsung-announces-expanded-partnership-with-google-to-support-matter-devices-110008848.html G.政府防公共電子看板遭駭唐鳳：視同連線公務網路管理 https://udn.com/news/story/7240/6681472 公共場域電子看板將納管唐鳳曝最新進度 https://ctee.com.tw/livenews/aj/ctee/a11608002022101215461977 數位部資安署月薪6萬僅來2人 https://reurl.cc/AOVxqd 資安攻防怎麼做？唐鳳：紅藍須並重結合成「紫隊」 https://udn.com/news/story/7238/6681424 政府約聘人員薪資立委促定期檢討 https://www.epochtimes.com/b5/22/10/12/n13843964.htm 馬斯克要「台灣變特區」　邱國正：國軍目前絕不再買特斯拉 https://www.ettoday.net/news/20221012/2356762.htm 資安恐外洩？國軍現有7輛特斯拉「停在這」　何志偉：真的不安全 https://www.ctwant.com/article/212802 不再買特斯拉！國防部：資安考量不開啟攝影與自動導航 https://www.nownews.com/news/5950649 航太、造船、資安...開箱國防自主千億商機國內軍工產業供應鏈樣貌曝光！ https://www.wealth.com.tw/articles/47d9e603-1099-4908-80ee-bfb22b01a589 新北市體現領導者的數位轉型「AI智慧之城」啟動數位治理新動能 https://city.gvm.com.tw/article/95194 資策會秀5項AI技術研發提升道安、預測製造業設備損耗 https://ec.ltn.com.tw/article/breakingnews/4088214 中製資通設備佯裝MIT 政院：持續加強資安韌性防護 https://reurl.cc/RX5Abz TWISA組團赴日本CEATEC展資安輸出受肯定 https://money.udn.com/money/story/10860/6687194 臺大資管系教授、前NCC委員孫雅麗：企業建置5G專網不可忽視資通安全，5項安全議題要注意 https://www.ithome.com.tw/news/153631 傳上校持機密設施圖遭調查局帶走國防部：配合偵辦 https://reurl.cc/Qbr0YO H.工控系統/ICS/SCADA/IOT/物聯網/車聯網/電動車/人工智慧/AI/ML/人臉辨識/醫療相關資安 Critical Bug in Siemens SIMATIC PLCs Could Let Attackers Steal Cryptographic Keys https://thehackernews.com/2022/10/critical-bug-in-siemens-simatic-plcs.html 國家級的網攻！針對半導體製造業的勒索軟體攻擊將持續並產生重大影響 https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10110 TXOne Networks與NEC台灣合作提供零售業POS系統資安防護 https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10106 SEMI E187設備資安標準導入指南出爐 https://www.eettaiwan.com/20221013nt22-semi-e187/ 建構半導體供應鏈安全網 SEMI發布E187設備資安標準 https://www.chinatimes.com/newspapers/20221013000193-260204?chdtv SEMI晶圓設備資安標準指南出爐提升半導體供應鏈安全 https://times.hinet.net/news/24191275 IKEA智慧照明系統漏洞恐導致組態遭到重設、使用者失去調整亮度的能力 https://www.synopsys.com/blogs/software-security/cyrc-advisory-ikea-tradfri-smart-lighting/ 西門子工控系統的全域私鑰恐遭利用，PLC設備資料可能被竄改 https://claroty.com/team82/research/the-race-to-native-code-execution-in-plcs-using-rce-to-uncover-siemens-simatic-s7-1200-1500-hardcoded-cryptographic-keys CISA發布25項ICS產品安全警告，涵蓋西門子、Hitachi等多項漏洞 https://www.cisa.gov/uscert/ncas/current-activity/2022/10/13/cisa-releases-twenty-five-industrial-control-systems-advisories I.教育訓練 iPAS資訊安全工程師中級筆記 https://hackmd.io/@Not/iPASInformationSecuritySpecialist iPas資安工程師證照考前研習 https://reurl.cc/GEbA3p Coursera 盤點 7 項雲端資安認證，高薪跳板都在這了！ https://buzzorange.com/techorange/2022/07/12/cloud-security-certificates/ 全球網絡安全勞動力失衡 (ISC)2免費課程及考試填補人才缺口 https://reurl.cc/m39MDj CISSP考試心得 https://reurl.cc/KbY83j CISSP考試心得 – Benson https://reurl.cc/GbWvxd 目標導向-20天光速考過CISSP https://reurl.cc/2Zq6zn CISSP證照考試實戰心得第一章：初期準備工作 https://netmag.tw/2022/06/17/the-cissp-has-learned-the-first-chapter-in-actual-combat CPSA(CREST Practitioner Security Analyst) 資安分析師考試心得 https://tech-blog.cymetrics.io/posts/huli/crest-cpsa-prepare/ EC-Council CEH v11 考試心得、改版資訊以及準備方向 2021、2022 https://reurl.cc/1oyEM8 CEH v11 考試心得與準備方式 https://blog.sean.taipei/2022/01/ceh 深度解析 CPENT 考試心得、以及與 OSCP 的比較 https://reurl.cc/41eL8v EC-Council CPENT v1 滲透測試認證 – 內容及心得分享 https://hackercat.org/pentesting/ec-council-cpent-v1-experience-review [備考心得]CompTIA Security+ (SY0–601) 上篇 https://reurl.cc/M053DK [備考心得]CompTIA Security+ (SY0–601) 下篇 https://reurl.cc/M053Gv 不只是工程師才要懂的 App 資訊安全：取得資安檢測合格證書血淚史（iT邦幫忙鐵人賽系列書） https://news.pchome.com.tw/living/books/20220202/index-64375841669874292009.html Learn NIST Inside Out With 21 Hours of Training @ 86% OFF https://thehackernews.com/2022/06/learn-nist-inside-out-with-21-hours-of.html 駭客與國家: 網路攻擊與地緣政治新常態 The hacker and the state: cyber attacks and the new normal of geopolitic https://reurl.cc/D3nKKj Practical Network Penetration Tester (PNPT) Certification Review https://tmc222.medium.com/practical-network-penetration-tester-pnpt-certification-review-4280e4e164df WUSON常用的基本詞彙 https://choson.lifenet.com.tw/?p=1958 我國網路資安狂被駭監委申請自動調查 https://www.chinatimes.com/realtimenews/20220810003152-260407?chdtv 6.近期資安活動及研討會 MOPCON 2022 2022/10/15 ~ 2022/10/16 https://mopcon.org/ 金融資安案例研習 2022/10/17 https://www.sitca.org.tw/OPF/B0000/PPT049_2022_01.asp Kubernetes Summit 2022 2022/10/18 ~ 2022/10/19 https://k8s.ithome.com.tw/ Taipei dbt Meetup #7 (in-person 👫 & online 👨‍💻) 2022/10/19 https://www.meetup.com/taipei-dbt-meetup/events/288207892/ 國家高速網路與計算中心教育訓練「大數據程式開發平台(VM版本)」建置與開發實務課程 2022/10/21 https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=4009&from_course_list_url=course_index CISCO 資安講堂 2022/10/21 https://www.accupass.com/event/2209281120037267603420 資安情蒐暨資安政策趨勢研討會—以半導體供應鏈為核心 2022/10/25 https://stli.iii.org.tw/news-event.aspx?no=16&d=1177 【Monosparta】②⓪②③ 第一梯次軟體開發實戰訓練營➠線上說明會 2022/10/26 https://trunk-studio.kktix.cc/events/monosparta-202301 CODE BLUE 2022 @TOKYO 2022/10/27 ~ 2022/10/28 https://codeblue.jp/2022/en/ 金融產業跨域資安人力高峰論壇 2022/10/28 https://isipevent.kktix.cc/events/f2ce8bcc 資訊安全與人工智慧實作 2022/10/28 https://www.cisanet.org.tw/Course/Detail/2867 資訊安全發展趨勢| 數位社會與資訊安全 - 董監事系列認證課程 2022/11/5 https://www.accupass.com/event/2208120843261385349231 行動應用APP 安全檢測（APK/IPA）2022-11-18 09:00 ~ 2022-11-18 12:00 https://www.cisanet.org.tw/Course/Detail/2865 ICS 2022 WORKSHOP PROGRAM -「Ubiquitous Cybersecurity and Forensics」 2022/12/15 ~ 2022/12/17 https://ics2022.esam.io/ TANET 2022 WORKSHOP PROGRAM -「第二屆數位鑑識、醫療私密與網駭安全」 2022/12/15 ~ 2022/12/17 https://tanet2022.esam.io/