A North Korean cybercriminal group, Andariel, has been found using a stealthy hacking technique called RID hijacking to gain full control over Windows systems. This method allows attackers to manipulate a computer’s security settings, turning a low-privilege user account into an administrator account and granting them hidden control over the system.
What is RID Hijacking and How Does It Work?
Windows assigns each user account a Security Identifier (SID), which includes a Relative Identifier (RID) that defines the account’s access level. Key RIDs include:
- 500 – Default administrator account
- 501 – Guest account
- 1000+ – Regular user accounts
Hackers exploit this system by modifying the RID of a normal user account to match that of an administrator. Since Windows determines permissions based on RID values, the system unknowingly grants higher-level access to what appears to be a low-privilege account. However, this attack requires deep access to the system’s core security files, specifically the Security Account Manager (SAM) registry, where user login details are stored.
Researchers from AhnLab Security Intelligence Center (ASEC) have linked these attacks to Andariel, a North Korean hacking group that is part of Lazarus, a well-known state-sponsored cybercrime organization. Andariel typically gains initial access by exploiting software vulnerabilities or tricking users into downloading malware. Once inside, they use hacking tools like PsExec and JuicyPotato to obtain SYSTEM-level privileges, the highest level of access on a Windows machine.
However, SYSTEM-level access has limitations, such as the inability to log in remotely, lack of persistence after a system restart, and high visibility to security systems. To overcome these, Andariel creates a hidden user account using the Windows "net user" command, adding a "$" symbol at the end of the username to make it invisible in regular user lists. They then modify its RID to that of an administrator, granting it full control over the system while remaining undetected.
How to Defend Against RID Hijacking
To protect against RID hijacking, organizations and IT administrators can take the following steps:
- Monitor User Login Activity: Use the Local Security Authority (LSA) Subsystem Service to track unusual logins or permission changes.
- Secure Critical System Files: Restrict unauthorized modifications to the SAM registry, where login credentials are stored.
- Block Hacking Tools: Prevent tools like PsExec and JuicyPotato from running, as they are commonly used for privilege escalation.
- Implement Multi-Factor Authentication (MFA): Require an extra authentication step for all accounts, even low-level ones, to prevent unauthorized access.
- Regularly Audit User Accounts: Check for hidden or suspicious accounts, especially those with "$" symbols or unusual RID values.
RID hijacking has been known since 2018, when cybersecurity researchers first demonstrated it as a way to maintain persistent access on Windows systems. However, its recent use by North Korean state-sponsored hackers highlights the growing sophistication of cyberattacks. By making small, undetectable changes to Windows user settings, hackers can silently maintain control over a compromised system, making it much harder for security teams to remove them.
The use of RID hijacking by North Korean hackers underscores the importance of proactive cybersecurity measures. Organizations must monitor user accounts, detect hidden activity, and secure critical system files to defend against such stealthy attacks. By staying vigilant and implementing robust security practices, businesses can better protect their systems from advanced threats like RID hijacking.
