The hackers used a custom malicious file and an open source tool for the hijacking attack.
On 1/24/2025 2:00 PM, CrudeSausage wrote:
The hackers used a custom malicious file and an open source tool forFOSS = giving away code for criminals since 1984
the hijacking attack.
<https://www.bleepingcomputer.com/news/security/hackers-use-windows-rid-hijacking-to-create-hidden-admin-account/>
A North Korean threat group has been using a technique called RID hijacking that tricks Windows into treating a low-privileged account as one with administrator permissions.
The hackers used a custom malicious file and an open source tool for the hijacking attack. Both utilities can perform the attack but researchers at South Korean cybersecurity company AhnLab say that there are differences.
How RID hijacking works
The Relative Identifier (RID) in Windows is part of the Security Identifier (SID), a unique tag assigned to every user account to distinguish between them.
RID can take values that indicate the account’s level of access, such as “500” for administrators, “501” for guest accounts, “1000” for regular users, and “512” for the domain admins group.
RID hijacking occurs when attackers modify the RID of a low-privilege account to match the value of an administrator account, and Windows will grant it elevated access.
However, performing the attack requires access to the SAM registry, so the hackers need to first breach the system and gain SYSTEM access.
RID hijacking process
RID hijacking process
Source: ASEC
Andariel attacks
ASEC researchers, AhnLab's security intelligence center, attribute the attack to Andariel threat group, which has been linked to North Korea's Lazarus hacker group.
The attacks begin with Andariel having SYSTEM access on the target via the exploitation of a vulnerability.
The hackers achieve the initial escalation by using tools such as PsExec and JuicyPotato to launch a SYSTEM-level command prompt.
Although SYSTEM access is the highest level on Windows, it does not allow remote access, cannot interact with GUI apps, is very noisy and likely to be detected, and cannot persist between system reboots.
To address these issues, Andariel first created a hidden, low-privilege local user by using the "net user" command and adding the '$' character at the end.
In doing so, the attacker ensured that the account is not visible through the "net user" command and can be identified only in the SAM registry. Then they performed the RID hijacking to increase permissions to admin.
Hidden Andariel account on compromised Windows system
Hidden Andariel account on Windows system
source: AhnLab
According to the researchers, Andariel added their account to the Remote Desktop Users and Administrators groups.
The RID hijacking required for this is possible through Security Account Manager (SAM) registry modifications. The North Koreans use custom malware and an open-source tool to perform the changes.
Tools
Source: ASEC
Although SYSTEM access allows admin account creation directly, certain restrictions may apply depending on the security settings. Elevating the privileges of regular accounts is far stealthier and harder to detect and stop.
Andariel further attempts to cover its tracks by exporting the modified registry settings, deleting the key and the rogue account, and then re-registering it from a saved backup, allowing reactivation without appearing in system logs.
To mitigate risks for RID hijacking attacks, system admins should use Local Security Authority (LSA) Subsystem Service to check for logon attempts and password changes, as well as prevent unauthorized access and changes to the SAM registry.
It is also advisable to restrict the execution of PsExec, JuicyPotato, and similar tools, disable the Guest account, and protect all existing accounts, even low-privileged, with multi-factor authentication.
It is worth noting that RID hijacking has been known since at least 2018 when security researcher Sebastián Castro presented the attack at DerbyCon 8 as a persistence technique on Windows systems.
On Fri, 24 Jan 2025 17:39:21 -0500, DFS wrote:
On 1/24/2025 2:00 PM, CrudeSausage wrote:
The hackers used a custom malicious file and an open source tool forFOSS = giving away code for criminals since 1984
the hijacking attack.
If the very existence of FOSS can make proprietary code insecure, is there any hope for proprietary code at all?
On 1/25/2025 10:46 PM, Lawrence D'Oliveiro wrote:
On Fri, 24 Jan 2025 17:39:21 -0500, DFS wrote:
On 1/24/2025 2:00 PM, CrudeSausage wrote:
The hackers used a custom malicious file and an open source tool forFOSS = giving away code for criminals since 1984
the hijacking attack.
If the very existence of FOSS can make proprietary code insecure, is
there any hope for proprietary code at all?
https://companiesmarketcap.com/software/largest-software-companies-by-market-cap/
On Sun, 26 Jan 2025 10:52:35 -0500, DFS wrote:
On 1/25/2025 10:46 PM, Lawrence D'Oliveiro wrote:
On Fri, 24 Jan 2025 17:39:21 -0500, DFS wrote:
On 1/24/2025 2:00 PM, CrudeSausage wrote:
The hackers used a custom malicious file and an open source tool for >>>>> the hijacking attack.FOSS = giving away code for criminals since 1984
If the very existence of FOSS can make proprietary code insecure, is
there any hope for proprietary code at all?
https://companiesmarketcap.com/software/largest-software-companies-by-market-cap/
Now take out those whose products have any kind of dependency on FOSS at
all.
What’s left?
Hint: *crickets*
"Is there any hope for proprietary code at all?"
[Ad-hominem Deflection]
when I see Winblows now it just looks inferior.
On Mon, 27 Jan 2025 08:26:06 -0500, DFS wrote:
"Is there any hope for proprietary code at all?"
[Ad-hominem Deflection]
Need I say more ...
On 2/6/2025 4:18 PM, Joel wrote:
when I see Winblows now it just looks inferior.
What about it looks inferior to what you're using (Debian 12)?
I haven't run a Linux DE in a few years probably, so I am curious how
they're looking and feeling these days.
On 2025-02-07, CrudeSausage <crude@sausa.ge> wrote:
On 2025-02-06 7:44 p.m., DFS wrote:
On 2/6/2025 4:18 PM, Joel wrote:
when I see Winblows now it just looks inferior.
What about it looks inferior to what you're using (Debian 12)?
I haven't run a Linux DE in a few years probably, so I am curious how
they're looking and feeling these days.
KDE is spectacular, the rest is underwhelming. However, most people
using Linux aren't looking for something pretty since they believe that
the OS should stay out of the way. They would want resources to
primarily be available to the software rather than the operating system
itself.
Still, KDE compares very favourably with the commercial competition.
To me KDE is kind of "gimmicky." I like Cinnamon, Mate and Xfce much better. (Mate and Xfce the way Linux Mint sets them up, not necessarily "generic" versions.) I don't like "standard" Gnome at all.
That's one of the advantages of Linux. Lots of choice, not "one size fits all."
On 2025-02-08, CrudeSausage <crude@sausa.ge> wrote:
On 2025-02-07 12:41 p.m., RonB wrote:
On 2025-02-07, CrudeSausage <crude@sausa.ge> wrote:
On 2025-02-06 7:44 p.m., DFS wrote:
On 2/6/2025 4:18 PM, Joel wrote:
when I see Winblows now it just looks inferior.
What about it looks inferior to what you're using (Debian 12)?
I haven't run a Linux DE in a few years probably, so I am curious how >>>>> they're looking and feeling these days.
KDE is spectacular, the rest is underwhelming. However, most people
using Linux aren't looking for something pretty since they believe that >>>> the OS should stay out of the way. They would want resources to
primarily be available to the software rather than the operating system >>>> itself.
Still, KDE compares very favourably with the commercial competition.
To me KDE is kind of "gimmicky." I like Cinnamon, Mate and Xfce much better.
(Mate and Xfce the way Linux Mint sets them up, not necessarily "generic" >>> versions.) I don't like "standard" Gnome at all.
That's one of the advantages of Linux. Lots of choice, not "one size fits >>> all."
I find just about everything about KDE to be perfect. The fact that it
allows me to know how much wear there is on my battery by default is
spectacular. In Windows, you need BatteryBar to get that information or
to run a command in the terminal. It also makes theming easy unlike
Gnome. Desktop effects are also there if you want to make a change or
modify how it works. Meanwhile, it doesn't feel heavy at all and I found
it to be rock solid. It will definitely be my choice of desktop
environment going forward.
I understand. I don't like KDE. Too "busy" for me. But that's the advantage of Linux with the ability to choose and use what you like.
As for battery health I can just type inxi -B in a terminal. Now I see I
have a discrepency. The BIOS shows "excellent battery health" and inxi -B shows 67% health on my newest laptop. I'm guessing inxi -B is right since
I'm only getting about 7 hours battery life on this Latitude 5300. It's supposed to be somewhere around ten hours (or even 12).
inxi is useful for a lot of things.
On 2025-02-08, CrudeSausage <crude@sausa.ge> wrote:
On 2025-02-08 2:27 a.m., RonB wrote:
On 2025-02-08, CrudeSausage <crude@sausa.ge> wrote:
On 2025-02-07 12:41 p.m., RonB wrote:
On 2025-02-07, CrudeSausage <crude@sausa.ge> wrote:
On 2025-02-06 7:44 p.m., DFS wrote:To me KDE is kind of "gimmicky." I like Cinnamon, Mate and Xfce much better.
On 2/6/2025 4:18 PM, Joel wrote:
when I see Winblows now it just looks inferior.
What about it looks inferior to what you're using (Debian 12)?
I haven't run a Linux DE in a few years probably, so I am curious how >>>>>>> they're looking and feeling these days.
KDE is spectacular, the rest is underwhelming. However, most people >>>>>> using Linux aren't looking for something pretty since they believe that >>>>>> the OS should stay out of the way. They would want resources to
primarily be available to the software rather than the operating system >>>>>> itself.
Still, KDE compares very favourably with the commercial competition. >>>>>
(Mate and Xfce the way Linux Mint sets them up, not necessarily "generic" >>>>> versions.) I don't like "standard" Gnome at all.
That's one of the advantages of Linux. Lots of choice, not "one size fits >>>>> all."
I find just about everything about KDE to be perfect. The fact that it >>>> allows me to know how much wear there is on my battery by default is
spectacular. In Windows, you need BatteryBar to get that information or >>>> to run a command in the terminal. It also makes theming easy unlike
Gnome. Desktop effects are also there if you want to make a change or
modify how it works. Meanwhile, it doesn't feel heavy at all and I found >>>> it to be rock solid. It will definitely be my choice of desktop
environment going forward.
I understand. I don't like KDE. Too "busy" for me. But that's the advantage >>> of Linux with the ability to choose and use what you like.
As for battery health I can just type inxi -B in a terminal. Now I see I >>> have a discrepency. The BIOS shows "excellent battery health" and inxi -B >>> shows 67% health on my newest laptop. I'm guessing inxi -B is right since >>> I'm only getting about 7 hours battery life on this Latitude 5300. It's
supposed to be somewhere around ten hours (or even 12).
inxi is useful for a lot of things.
67% health suggests that you routinely charge it to 100% and let it
drain to 0%. I never do. I charge to 80% and usually charge before it
gets to 40%. As a result, even after two years since my battery change,
my health is at 98%. It was the same on the Mac before I got rid of it.
I haven't had the computer long enough to "routinely" do anything to it. But I honestly beleive that these Latitudes were used for desktop computers at Idaho Power and we're always attached to Docks — so constantly charging to 100%.
On 2025-02-08, CrudeSausage <crude@sausa.ge> wrote:
On 2025-02-08 10:43 a.m., RonB wrote:
On 2025-02-08, CrudeSausage <crude@sausa.ge> wrote:
On 2025-02-08 2:27 a.m., RonB wrote:I haven't had the computer long enough to "routinely" do anything to it. But
On 2025-02-08, CrudeSausage <crude@sausa.ge> wrote:
On 2025-02-07 12:41 p.m., RonB wrote:
On 2025-02-07, CrudeSausage <crude@sausa.ge> wrote:
On 2025-02-06 7:44 p.m., DFS wrote:To me KDE is kind of "gimmicky." I like Cinnamon, Mate and Xfce much better.
On 2/6/2025 4:18 PM, Joel wrote:
when I see Winblows now it just looks inferior.
What about it looks inferior to what you're using (Debian 12)? >>>>>>>>>
I haven't run a Linux DE in a few years probably, so I am curious how >>>>>>>>> they're looking and feeling these days.
KDE is spectacular, the rest is underwhelming. However, most people >>>>>>>> using Linux aren't looking for something pretty since they believe that
the OS should stay out of the way. They would want resources to >>>>>>>> primarily be available to the software rather than the operating system
itself.
Still, KDE compares very favourably with the commercial competition. >>>>>>>
(Mate and Xfce the way Linux Mint sets them up, not necessarily "generic"
versions.) I don't like "standard" Gnome at all.
That's one of the advantages of Linux. Lots of choice, not "one size fits
all."
I find just about everything about KDE to be perfect. The fact that it >>>>>> allows me to know how much wear there is on my battery by default is >>>>>> spectacular. In Windows, you need BatteryBar to get that information or >>>>>> to run a command in the terminal. It also makes theming easy unlike >>>>>> Gnome. Desktop effects are also there if you want to make a change or >>>>>> modify how it works. Meanwhile, it doesn't feel heavy at all and I found >>>>>> it to be rock solid. It will definitely be my choice of desktop
environment going forward.
I understand. I don't like KDE. Too "busy" for me. But that's the advantage
of Linux with the ability to choose and use what you like.
As for battery health I can just type inxi -B in a terminal. Now I see I >>>>> have a discrepency. The BIOS shows "excellent battery health" and inxi -B >>>>> shows 67% health on my newest laptop. I'm guessing inxi -B is right since >>>>> I'm only getting about 7 hours battery life on this Latitude 5300. It's >>>>> supposed to be somewhere around ten hours (or even 12).
inxi is useful for a lot of things.
67% health suggests that you routinely charge it to 100% and let it
drain to 0%. I never do. I charge to 80% and usually charge before it
gets to 40%. As a result, even after two years since my battery change, >>>> my health is at 98%. It was the same on the Mac before I got rid of it. >>>
I honestly beleive that these Latitudes were used for desktop computers at >>> Idaho Power and we're always attached to Docks — so constantly charging to
100%.
Yeah, constantly being at 100% is no better than charging to 100%. The
batteries also wear out from age, so there's no winning if longevity is
your objective. I just know that staying out of the area above 80 and
below 20 is the trick to keeping them for a while.
I'll try to do that when I get a new battery in the future.
On 2025-02-08 12:08 p.m., RonB wrote:[snip]
I'll try to do that when I get a new battery in the future.
If you use tlp in Linux, preventing the operating system from charging
above 80 is rather easy. It's just a matter of removing a # from the /etc/tlp.conf file.
| Sysop: | Keyop |
|---|---|
| Location: | Huddersfield, West Yorkshire, UK |
| Users: | 546 |
| Nodes: | 16 (2 / 14) |
| Uptime: | 28:29:57 |
| Calls: | 10,390 |
| Calls today: | 1 |
| Files: | 14,064 |
| Messages: | 6,417,078 |