North Korean Hackers Exploit RID Hijacking for Admin Access
/ 1 min read
🦠 North Korean hackers exploit RID hijacking to gain admin access on Windows systems. The Andariel threat group, linked to North Korea’s Lazarus hackers, has been using a technique called RID hijacking to elevate low-privileged accounts to administrator status on compromised Windows systems. This method involves modifying the Relative Identifier (RID) in the Security Account Manager (SAM) registry, allowing attackers to create hidden accounts that evade detection. Researchers from AhnLab detail how the group first gains SYSTEM access through vulnerabilities, then uses custom malware and open-source tools to perform the hijacking. To mitigate such attacks, experts recommend monitoring logon attempts, restricting certain tools, and implementing multi-factor authentication for all accounts. RID hijacking has been known since at least 2018, highlighting its ongoing relevance in cybersecurity threats.
