WoSign supposedly logged all certificates they issued to various Certificate Transparency log servers, so domain owners could check those records for any mis-issuance. There probably aren't too many organizations who check CT regularly right now, but it's better than nothing.
There's been some talk on mozilla.dev.security.policy about actively distrusting WoSign/StartCom-issued certificates for domains that have not been disclosed to CT as WoSign/StartCom subscribers (by baking the domain list into various browser binaries). That's probably the best option all around, though I'm not sure if it's going to happen (the report doesn't mention this).
There's been some talk on mozilla.dev.security.policy about actively distrusting WoSign/StartCom-issued certificates for domains that have not been disclosed to CT as WoSign/StartCom subscribers (by baking the domain list into various browser binaries). That's probably the best option all around, though I'm not sure if it's going to happen (the report doesn't mention this).