<
p style=”text-align: justify;”>
A North Korean cybercriminal group, Andariel, has been found using a stealthy hacking technique called RID hijacking to gain full control over Windows systems. This method allows attackers to manipulate a computer’s security settings, turning a low-privilege user account into an administrator account and granting them hidden control over the system.
What is RID Hijacking and How Does It Work?
Windows assigns each user account a Security Identifier (SID), which includes a Relative Identifier (RID) that defines the account’s access level. Key RIDs include:
- 500 – Default administrator account
- 501 – Guest account
- 1000+ – Regular user accounts
Hackers exploit this system by modifying the RID of a normal user account to match that of an administrator. Since Windows determines permissions based on RID values, the system unknowingly grants higher-level access to what appears to be a low-privilege account. However, this attack requires deep access to the system’s core security files, specifically the Security Account Manager (SAM) registry, where user login details are stored.
Researchers from AhnLab Security Intelligence Center (ASEC) have linked these attacks to Andariel, a North Korean hacki
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.