Patch, patch and patch again, research reiterates…
The United States is the number one hosting country for malicious domains, while also the leading source of exploit kits, a toolkit that cybercriminals use to target vulnerabilities in systems.
That’s according to a new report from Palo Alto Networks’ threat intelligence team Unit 42, which emphasises that old vulnerabilities remain a serious threat to security; one from a decade ago exposes end users to over 1,000 known attacks
While the United States remained the number one host of domains with a malicious intent, the Netherlands saw a sharp rise in the number of exploit kits and malicious domains been hosted there.
An interesting case study by Unit 42 looks at the evolution of attacks against CVE-2018-8174, which is a Windows VBScript engine remote code execution vulnerability. The vulnerability affected 31 Microsoft products.
The first use of the vulnerability was discovered on May 12 by Unit 42. An intriguing thing with regards this exploit is that Microsoft reported the vulnerability on May 8th. So it only took threat actors four days to come up with an attack vector utilising the vulnerability.
The first version of Double Kill exploit didn’t try to hide the html code and only some variables and functions were hidden. This was not the case for the second version of Double Kill as the threat actors had time to refine their attack.
The threat intelligence team followed the evolution of this exploit and noted that: “In the second exploit, attackers used several types of obfuscation to hide the exploit. For example, the textarea HTML tag with display attribute “none” was used to hide the real exploit code.”
“The obfuscated string in textarea started with “>tpircs and ended with “>tpircs<” will not be showed in html page, but it can be deobfuscated to a meaningful string as a part of exploit, for example “tpircs” will be decrypted to “script” tag.”
With regards to the vulnerabilities been exploit by attackers Unit 42 note that there is a surprising consistency in the types of vulnerabilities been attacked in this quarter compared to the last. In fact they note the roster of weak links threat actors are utilising is nearly identical to last quarter.