Welcome to HKISPA

Security Advisory From HKISPA and HKCERT: WannaCry Worm

May 15, 2017

Due to the outbreak of the WannaCry ransomware and expected varied forms of the virus in the coming days, the HKISPA recommends the following procedures to be considered by your call centre and network engineers.

1. Network engineers may consider temporarily taking the following measures, in order of priority. Adopting these policies will temporarily disable Windows File/Printer Sharing and Samba services of your customers with external hosts, therefore full communication with customers in prior is recommended.

A. Dropping the following inbound traffic, to protect your customers' exposed and un-patched Windows PC from getting infected.

Inbound TCP destination port 445 (Server Message Block)
Inbound TCP destination port 139 (NetBios session service)
Inbound UDP destination port 137 (NetBios name service)

B. Dropping the following outbound traffic, to prevent your clients' infected computer from infecting others.

Outbound TCP destination port 445 (Server Message Block)
Outbound TCP destination port 139 (NetBios session service)
Outbound UDP destination port 137 (NetBios name service)

2. Call centres may reference the attached PDF document for information they need equipped with in serving customers.

If you need further assistance, please contact the following:

HKISPA Mr. Eric Fan, This email address is being protected from spambots. You need JavaScript enabled to view it.

HKCERT Mr. Bernard Kan, This email address is being protected from spambots. You need JavaScript enabled to view it., +852 9632 9646

-Security Advisory From HKISPA and HKCERT: WannaCry Worm [Adobe Acrobat Document]