Shulou(Shulou.com)06/03 Report--

Attached

Since May 12th, the WannaCrypt (Eternal Blue) blackmail worm suddenly broke out, affecting nearly 100 countries around the world, including the British medical system, express delivery company FedEx, Russian telecommunications company Megafon have been victimized, China's campus network and a number of energy companies, government agencies have also been blackmailed to pay a high ransom in order to decrypt the recovery documents, causing serious losses to important data. As of noon on May 13th, it is estimated that more than 20, 000 machines in China have been hit and more than 100000 machines worldwide have been infected.

The WannaCrypt (Eternal Blue) blackmail worm is the first global example of the civilian use of NSA network weapons. A month ago, the fourth batch of NSA-related network tools and documents were published by Shadow Brokers, including remote command execution tools related to several Windows system services (SMB, RDP, IIS), including the "Eternal Blue" program.

Photo: the screen of the infected machine will display the following interface telling you to pay the ransom

Intranet switches prohibit ports 135, 137, 139 and 445

Huawei and H3C switches close port 445 to access the intranet

Acl number 3000

Rule 6 deny tcp destination-port eq 135

Rule 6 deny tcp destination-port eq 137

Rule 6 deny tcp destination-port eq 139

Rule 6 deny tcp destination-port eq 445

Int GigabitEthernet 0/0/24

Traffic-secure inbound acl 3000

[JH-GigabitEthernet0/0/24] dis this

#

Interface GigabitEthernet0/0/24

Energy-efficient-ethernet enable

Description UP H3C ER3108G

Portlink-type access

Portdefault vlan 2

Traffic-secure inbound acl 3000

#

Return

[JH-GigabitEthernet0/0/24]

Cisco shuts down 445

JHXXJS (config) # access-list 100 deny tcp anyany eq 135

JHXXJS (config) # access-list 100 deny tcp anyany eq 137

JHXXJS (config) # access-list 100 deny tcp anyany eq 139

JHXXJS (config) # access-list 100 deny tcp anyany eq 445

JHXXJS (config) # access-list 100 permit ipany any

Apply to Interfac

Router (config) # int gigabitEthernet 0amp 1

Router (config-if) # ip access-group 100 in

View port statu

Interface GigabitEthernet0/1

Noip address

Ipaccess-group 100 in

Duplex auto

Speed auto

Firewall security equipment forbids port 135, 137, 139, 445 policy 1, Qiming Star configuration

1) create a new custom service

2. Call strategy

3) View policies

2. Hillstone configuration

1) create a new policy

2) define services

3) set the policy

4) View policies

Third, turn on windows's own firewall

1. Enable advanced features

2. Add inbound rules

3. Select a port

5. Designated port

6. Choose to perform the operation

7. Select the area to be applied

8. Define the rule name

9. View rules

IV. Mainframe patch maintenance

The latest blackmail virus detection connection (360s detection tool): http://dl.360safe.com/nsa/nsatool.exe

Patch fix (choose the corresponding patch according to your system version):

Windows7

Www.catalog.update.microsoft.com/Search.aspxq=KB4012212

Www.catalog.update.microsoft.com/Search.aspx?q=KB4012215

Windows8.1

Www.catalog.update.microsoft.com/Search.aspx?q=KB4012213

Www.catalog.update.microsoft.com/Search.aspx?q=KB4012216

Windows10

Www.catalog.update.microsoft.com/Search.aspx?q=KB4013429

Www.catalog.update.microsoft.com/Search.aspx?q=KB4012606

Www.catalog.update.microsoft.com/Search.aspx?q=KB4013198

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.