Source: BleepingComputer Author: Bill Toulas URL: https://www.bleepingcomputer.com/news/security/hackers-use-windows-rid-hijacking-to-create-hidden-admin-account/
-
ONE SENTENCE SUMMARY: North Korean hackers, linked to the Andariel group, exploit RID hijacking to stealthily elevate low-privileged Windows accounts to admin-level.
-
MAIN POINTS:
-
RID hijacking modifies the RID of low-privilege accounts to gain administrative permissions in Windows systems.
-
The attack requires SYSTEM access, which hackers achieve through vulnerabilities and tools like PsExec and JuicyPotato.
-
Andariel, a group linked to North Korea’s Lazarus hackers, is responsible for these attacks.
-
Hackers create hidden accounts using the “net user” command with the ‘$’ suffix for stealth.
-
Modifications to the SAM registry enable RID hijacking, leveraging custom malware and open-source tools.
-
SYSTEM access does not persist after reboots, prompting attackers to elevate privileges for stealth and persistence.
-
Hackers add compromised accounts to Remote Desktop Users and Administrators groups for extended control.
-
To cover tracks, attackers delete rogue accounts and registry keys, then restore them from backups as needed.
-
Mitigation strategies include monitoring SAM registry changes, using multi-factor authentication, and restricting suspicious tools.
-
RID hijacking was first disclosed in 2018 as a Windows persistence technique at DerbyCon 8.
-
TAKEAWAYS:
-
RID hijacking exploits Windows security identifiers to stealthily elevate user privileges.
-
Andariel group uses SYSTEM access and registry modifications for stealthy, persistent attacks.
-
Hidden accounts are created and manipulated to avoid detection during these attacks.
-
Tools like PsExec and JuicyPotato are instrumental in initial access and privilege escalation.
-
Robust system monitoring and multi-factor authentication are crucial for mitigating RID hijacking risks.