View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 5, 2018

Vulnerability Exploit Trends and Patterns Revealed by Unit 42

Patch, patch and patch again, research reiterates...

By CBR Staff Writer

The United States is the number one hosting country for malicious domains, while also the leading source of exploit kits, a toolkit that cybercriminals use to target vulnerabilities in systems.

That’s according to a new report from Palo Alto Networks’ threat intelligence team Unit 42, which emphasises that old vulnerabilities remain a serious threat to security; one from a decade ago exposes end users to over 1,000 known attacks

While the United States remained the number one host of domains with a malicious intent, the Netherlands saw a sharp rise in the number of exploit kits and malicious domains been hosted there.

Vulnerability Exploits Trends and Patterns Exposed by Unit 42

Number of malicious URL’s Per Country/Region


An interesting case study by Unit 42 looks at the evolution of attacks against CVE-2018-8174, which is a Windows VBScript engine remote code execution vulnerability. The vulnerability affected 31 Microsoft products.

The first use of the vulnerability was discovered on May 12 by Unit 42. An intriguing thing with regards this exploit is that Microsoft reported the vulnerability on May 8th. So it only took threat actors four days to come up with an attack vector utilising the vulnerability.

Vulnerability Exploits

The first version of Double Kill exploit didn’t try to hide the html code and only some variables and functions were hidden. This was not the case for the second version of Double Kill as the threat actors had time to refine their attack.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The threat intelligence team followed the evolution of this exploit and noted that: “In the second exploit, attackers used several types of obfuscation to hide the exploit. For example, the textarea HTML tag with display attribute “none” was used to hide the real exploit code.”

“The obfuscated string in textarea started with “>tpircs and ended with “>tpircs<” will not be showed in html page, but it can be deobfuscated to a meaningful string as a part of exploit, for example “tpircs” will be decrypted to “script” tag.”

See Also: Top 10 Malware Families in 2018: Botnet Analysis

With regards to the vulnerabilities been exploit by attackers Unit 42 note that there is a surprising consistency in the types of vulnerabilities been attacked in this quarter compared to the last. In fact they note the roster of weak links threat actors are utilising is nearly identical to last quarter.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.