RID hijacking conducted by Andariel

Windows systems have been duped by North Korean state-sponsored threat group Andariel into seeing admin permissions in low-privileged accounts as part of a Relative Identifier takeover attack that involved the utilization of a custom malicious file and an open source tool, according to BleepingComputer.

After leveraging a vulnerability and the privilege escalation tools PsExec and JuicyPotato to gain SYSTEM access on targeted devices, Andariel — which has been associated with North Korean hacking collective Lazarus Group — stealthily established a low-privilege local user before altering the Security Account Manager registry to facilitate RID hijacking, a report from AhnLab Security Intelligence Center showed. Further registry setting modifications and key and account removal were then performed by Andariel to conceal malicious activity, said researchers. Mitigating RID takeovers requires monitoring of logon attempts and password modifications through the Local Security Authority Subsystem Service, as well as limited PsExec, JuicyPotato execution, and the implementation of multi-factor authentication across all accounts.