Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Lazarus hacking group. Show all posts
North Korea
Cyber Crime Lazarus hacking group MFA North Korea

North Korean Hackers Exploit RID Hijacking to Gain Full Control Over Windows Systems

 


A North Korean cybercriminal group, Andariel, has been found using a stealthy hacking technique called RID hijacking to gain full control over Windows systems. This method allows attackers to manipulate a computer’s security settings, turning a low-privilege user account into an administrator account and granting them hidden control over the system.

What is RID Hijacking and How Does It Work?

Windows assigns each user account a Security Identifier (SID), which includes a Relative Identifier (RID) that defines the account’s access level. Key RIDs include:

  • 500 – Default administrator account
  • 501 – Guest account
  • 1000+ – Regular user accounts

Hackers exploit this system by modifying the RID of a normal user account to match that of an administrator. Since Windows determines permissions based on RID values, the system unknowingly grants higher-level access to what appears to be a low-privilege account. However, this attack requires deep access to the system’s core security files, specifically the Security Account Manager (SAM) registry, where user login details are stored.

Researchers from AhnLab Security Intelligence Center (ASEC) have linked these attacks to Andariel, a North Korean hacking group that is part of Lazarus, a well-known state-sponsored cybercrime organization. Andariel typically gains initial access by exploiting software vulnerabilities or tricking users into downloading malware. Once inside, they use hacking tools like PsExec and JuicyPotato to obtain SYSTEM-level privileges, the highest level of access on a Windows machine.

However, SYSTEM-level access has limitations, such as the inability to log in remotely, lack of persistence after a system restart, and high visibility to security systems. To overcome these, Andariel creates a hidden user account using the Windows "net user" command, adding a "$" symbol at the end of the username to make it invisible in regular user lists. They then modify its RID to that of an administrator, granting it full control over the system while remaining undetected.

How to Defend Against RID Hijacking

To protect against RID hijacking, organizations and IT administrators can take the following steps:

  1. Monitor User Login Activity: Use the Local Security Authority (LSA) Subsystem Service to track unusual logins or permission changes.
  2. Secure Critical System Files: Restrict unauthorized modifications to the SAM registry, where login credentials are stored.
  3. Block Hacking Tools: Prevent tools like PsExec and JuicyPotato from running, as they are commonly used for privilege escalation.
  4. Implement Multi-Factor Authentication (MFA): Require an extra authentication step for all accounts, even low-level ones, to prevent unauthorized access.
  5. Regularly Audit User Accounts: Check for hidden or suspicious accounts, especially those with "$" symbols or unusual RID values.

RID hijacking has been known since 2018, when cybersecurity researchers first demonstrated it as a way to maintain persistent access on Windows systems. However, its recent use by North Korean state-sponsored hackers highlights the growing sophistication of cyberattacks. By making small, undetectable changes to Windows user settings, hackers can silently maintain control over a compromised system, making it much harder for security teams to remove them.

The use of RID hijacking by North Korean hackers underscores the importance of proactive cybersecurity measures. Organizations must monitor user accounts, detect hidden activity, and secure critical system files to defend against such stealthy attacks. By staying vigilant and implementing robust security practices, businesses can better protect their systems from advanced threats like RID hijacking.

Read more »
Zero-day vulnerability
Cyber Security Cyber Threats Cybersecurity Warning Global Supply-Chain Attack Lazarus hacking group MagicLine4NX Software Security Authentication State-sponsored Hackers Zero-day vulnerability

The Lazarus Hacking Group's Covert Strategy: Utilizing MagicLine4NX Software in a Global Supply-Chain Assault

 

In a joint effort, the National Cyber Security Centre (NCSC) and South Korea's National Intelligence Service (NIS) have issued a serious warning about the activities of the Lazarus hacking group, associated with North Korea. The group is exploiting a zero-day vulnerability found in the widely-used MagicLine4NX software, leading to a series of sophisticated supply-chain attacks affecting various entities globally.

The MagicLine4NX software, developed by Dream Security in South Korea, is a crucial joint certificate program for secure logins and digital transactions. Exploiting a vulnerability in this software, cyber actors gained unauthorized access to the intranets of targeted organizations, breaching security authentication systems in the process.

The joint advisory revealed, "Cyber actors utilized the software vulnerabilities to gain unauthorized access to the intranet of a target organization. They exploited the MagicLine4NX security authentication program for initial intrusion and a zero-day vulnerability in network-linked systems to move laterally, accessing sensitive information."

The intricate attack chain began with a watering hole attack, a tactic where hackers compromise websites frequented by specific users. In this case, state-sponsored hackers infiltrated a media outlet's website, embedding malicious scripts into an article. The attack specifically targeted visitors using certain IP ranges. When visitors employed the MagicLine4NX authentication software and accessed the compromised website, the embedded code executed, providing hackers with complete control over the system.

Subsequently, the attackers accessed an internet-side server from a network-connected PC, exploiting system vulnerabilities. They then spread the malicious code to a business-side server via a network-linked system's data synchronization function.

Despite security measures, the threat actors persisted in attempting to infiltrate business PCs with the aim of extracting sensitive information. The malware established a connection to two C2 servers—one serving as a gateway within the network-linked system and the other located externally on the internet. The report noted, "The malicious code attempted to move data from the internal server to the external server but was thwarted by the security policy. Had it succeeded, substantial internal network information might have been compromised."

The warning emphasized the severity of such attacks, citing previous supply chain intrusions by North Korea-linked APT groups. Notably, the Labyrinth Chollima APT targeted VoIP software maker 3CX, leading cybersecurity vendors to detect the popular software as malware. In a separate incident, Microsoft Threat Intelligence researchers exposed a supply chain attack by APT Diamond Sleet (ZINC), affecting over 100 devices across Japan, Taiwan, Canada, and the United States.

As cybersecurity agencies work to contain these threats, the increasing sophistication of these attacks underscores the urgent need for heightened vigilance and robust security measures against supply-chain vulnerabilities.
Read more »
Tech
Crypto Attack cryptocurrency engineers Cyber Attacks Cybersecurity KandyKorn Lazarus hacking group MacOS Malware Tech

Cryptocurrency Engineers Targeted by New macOS Malware 'KandyKorn'

 

A newly identified macOS malware called 'KandyKorn' has been discovered in a cyber campaign linked to the North Korean hacking group Lazarus. The targets of this attack are blockchain engineers associated with a cryptocurrency exchange platform.

The attackers are using Discord channels to pose as members of the cryptocurrency community and distribute Python-based modules. These modules initiate a complex KandyKorn infection process.

Elastic Security, the organization that uncovered the attack, has linked it to Lazarus based on similarities with their previous campaigns, including techniques used, network infrastructure, code-signing certificates, and custom detection methods for Lazarus activity. 

The attack starts with social engineering on Discord, where victims are tricked into downloading a malicious ZIP archive named 'Cross-platform Bridges.zip.' This archive contains a Python script ('Main.py') that imports 13 modules, triggering the first payload, 'Watcher.py.' 

Watcher.py downloads and executes another Python script called 'testSpeed.py' and a file named 'FinderTools' from a Google Drive URL. FinderTools then fetches and runs an obfuscated binary named 'SugarLoader,' which appears as both .sld and .log Mach-O executables.

SugarLoader establishes a connection with a command and control server to load the final payload, KandyKorn, into memory.

In the final stage, a loader known as HLoader is used. It impersonates Discord and employs macOS binary code-signing techniques seen in previous Lazarus campaigns. HLoader ensures persistence for SugarLoader by manipulating the real Discord app on the compromised system.

KandyKorn serves as the advanced final-stage payload, allowing Lazarus to access and steal data from the infected computer. It operates discreetly in the background, awaiting commands from the command and control server, and takes steps to minimize its trace on the system.

KandyKorn supports a range of commands, including terminating processes, gathering system information, listing directory contents, uploading and exfiltrating files, securely deleting files, and executing system commands, among others.

The Lazarus group primarily targets the cryptocurrency sector for financial gain, rather than engaging in espionage. The presence of KandyKorn highlights that macOS systems are also vulnerable to Lazarus' attacks, showcasing the group's ability to create sophisticated and inconspicuous malware tailored for Apple computers.
Read more »
Subscribe to: Posts (Atom)