HQ/EMEAFind out how we can help your business
The alleged hackers from the Democratic People’s Republic of Korea have an ongoing exploit called RID hijacking. Reports revealed that these hackers are trying to trick Windows into treating a low-privileged account as if it has admin-level credentials.
The hackers carried out the hijacking attack using a modified malicious file and an open-source tool. Both utilities can execute malicious activity, but researchers claim there are distinctions.
In Windows, the Relative Identifier (RID) is part of the Security Identifier (SID), a unique identifier provided to each user account to distinguish them. RID can take values indicating the account’s level of access, such as “500” for admins, “501” for guest accounts, “1000” for regular users, and “512” for domain admins.
The hijacking technique occurs when a threat actor changes the RID of a low-privilege account to match the value of an administrator account. This unauthorised activity can then trick Windows into granting the low-privileged higher access.
However, as the attack requires access to the SAM registry, the hackers must first compromise the system and get SYSTEM access.
The RID hijacking campaign is linked to a Lazarus gang affiliate dubbed Andariel.
According to investigations, the Andariel threat group, which is a Lazarus gang affiliate, is the alleged operator of the ongoing RID hijacking activity.
The attacks start when Andariel gains SYSTEM access to the victim by exploiting a vulnerability. The hackers use programs like PsExec and JuicyPotato to launch a SYSTEM-level command prompt, which allows them to escalate the situation.
To overcome the issues posed by System-level access, Andariel first creates a secret, low-privilege local user by running the “net user” command with the ‘$’ character at the end. By doing this tactic, the attacker can ensure that the account is not visible via the “net user” command and can only be seen in the SAM registry. The attackers can then use RID hijacking to elevate their permissions to administrators.
Furthermore, the researchers discovered that Andariel added their account to the Remote Desktop Users and Administrators groups, which requires RID hijacking and can be accomplished by Security Account Manager (SAM) registry updates.
The North Koreans utilise bespoke malware and an open-source tool to carry out the alteration. SYSTEM access enables the direct creation of admin accounts, but various limits may apply based on the security settings. Increasing the privileges of regular accounts is significantly stealthier and more difficult to detect and prevent.
Andariel also tries to hide its tracks by exporting the updated registry settings, removing the key and the rogue account, and then re-registering them from a stored backup, allowing reactivation without appearing in system logs.
System admins should employ the Local Security Authority (LSA) Subsystem Service to monitor login attempts and password changes, block unauthorised access, and modify the SAM registry to mitigate the risk of these RID hijacking attacks currently exploited by North Korean hackers.
