US still takes top spot for hosting malicious domains and exploit kits, researchers find

  • The US was also found to be the number one hoster for exploit kits, accounting for more EKs globally than all other countries combined.
  • Security researchers also found cybercriminals consistently exploit older vulnerabilities as well.

The United States still takes the crown for hosting malicious domains and exploit kits in Q2 2018, according to a new study. According to statistics from Palo Alto Network's Unit 41, the US was the number one hoster of malicious domains that potentially served web-based threats at a global level.

Researchers found the US hosted 248 malicious URLs between April and June 2018 (Q2), a drop from 257 recorded in Q1. Other top countries hosting malicious domains include Russia, China, Hong Kong and the Netherlands. Besides the Netherlands and the US, the number of malicious domains dropped across most of the top countries, particularly in Russia and China.

In China, the number of malicious domains hosted dropped from 106 in Q1 to just two in Q2. In Russia, the number shrunk from 20 in Q2 to two malicious domains.

EK top spot claimed by the US

The US was also found to be the number one hoster for exploit kits as well, accounting for more EKs globally than all other countries combined. In fact, the US accounted for more than twice the number of EKs as the number two hoster - Russia.

The US was the number one source for Grandsoft, Sundown and Rig and the number two source for KaiXin. Meanwhile, Russia was number two globally for Grandsoft, Sundown and Rig. Researchers found KaiXin - which targets the 4-year-old vulnerability - CVE-2014-6332 - seemed to be more popular in Asia and primarily popped up in China, Hong Kong and Korea.

Old is gold

In terms of vulnerabilities, Unit 42 found threat actors still rely on much older flaws to exploit in new attack campaigns. Two nine-and-a-half-year-old Microsoft IE vulnerabilities - CVE-2009-0075 and CVE-2008-4844 - made it to the top five list. Other frequently exploited vulnerabilities in this quarter included an OLE automation flaw (CVE-2014-6332), one in Adobe Reader (CVE-2015-5122) and a Microsoft VBScript flaw (CVE-2016-0189).

Meanwhile, the latest security vulnerability aggressively leveraged in exploit kits is CVE-2018-8174, a Microsoft VBScript vulnerability that was heavily used in zero-day attacks. The vulnerability was patched by Microsoft in May 2018. However, DarkHotel APT exploited this flaw, also known as DoubleKill, in zero-day attacks.

"This vulnerability wasn’t publicly known until the second quarter and we can see was quickly used by attackers taking advantage of it, making it number two on our list in the second quarter, exploited by 291 malicious URLs," researchers noted. "The net lessons from this quarter’s statistics are the very old and very new vulnerabilities show themselves to be useful. There’s also a steadiness to the vulnerabilities attackers are favoring since four of the top five vulnerabilities this quarter were in use last quarter.

"In the realm of vulnerabilities, we see remarkable consistency, with a nearly identical roster of vulnerabilities under attack in this quarter as last quarter. The only notable addition to this roster is a vulnerability known to be used in zero-day attacks."