North Korean Group Andariel Targets Windows Systems in RID Hijacking Attack

Through Windows vulnerabilities Andariel conducted a RID hijacking operation that gave administrator control to lower-privileged accounts using installed PsExec and JuicyPotato tools.

Windows system vulnerabilities enabled North Korean threat group Andariel to execute Relative Identifier (RID) takeover attacks which attacked the operating system into believing unprivileged accounts operated as administrators. The group Andariel that operates under the Lazarus Group made use of PsExec and JuicyPotato tools to acquire SYSTEM access on their targeted devices.

Andariel first created a low-privileged user then used Security Account Manager registry modifications to perform RID hijacking followed by additional registry changes to mask their malicious activities.

Password monitoring along with controlling the execution of PsExec and JuicyPotato needs to be coupled with logon attempt surveillance as advised by experts for attack protection. A stronger security measure demands organizations to use multi-factor authentication for all their accounts.

Andariel's coordinated attack demonstrates an evolving sophistication of cyber threats which now focuses on critical infrastructure due to state sponsorship. Security measures need active implementation within organizations through system audits and endpoint protection along with employee training which teaches them how to detect suspicious activity so they can better protect themselves against advanced privilege escalation attacks.