Cyberattack, Asus RT-AX53U...?

Installing and Using OpenWrt
1

Hi. I have been target of serious cyberattack. It started shortly after I started installing/using openwrt on my Asus RT-AX53U router.

First I noticed (DEC 23th morning, Finland time) that somebody is using my instagram and put crypto spam with my profile. In DEC 23th evening I noticed that my all telegram sessions have been logged out and it appears I have lost access completely. in 24th DEC morning my linked in profile was hijacked. Hijacker deleted everything else but name and contacts and put there some chinese content, new profile pic and started spamming couple of my contacts. It seems I have regained control of everything else than the telegram profile.

Just to be safe I disconnected and powered off this router and put a different one.

  1. People keep saying to me that it would be most likely session hijack attack and that in general openwrt should be safe but is there even the slightest change that openwrt rom or opkg packages could be injected with something that steals sessions/cookies?

  2. If the sessions were stolen from some of my devices instead of router is there some way (logs...?) how I could identify from which device the sessions were stolen? I have 3 android phones 1 android tablet 4-5 PCs (windows, one is dual boot ubuntu and I now am using ubuntu side as it feels currently safer. It is very hard task to identify / pinpointing where the attack happened (if it was not the router). All help appreciated. Below are links to the ROMs which I think I installed. I went there via openwrt official page but cannot be sure if there could have been in ad banners a download button or something which takes to similar looking site with infiltrated ROMs.

First installation should have been this (unless it was similar looking faked page):

https://downloads.openwrt.org/releases/24.10.4/targets/ramips/mt7621/openwrt-24.10.4-ramips-mt7621-asus_rt-ax53u-squashfs-factory.bin

As I am still new with openwrt, experimented a lot and updated all opkg packages from luci (didn't understand it can cause trouble), after that there came issues with UI so I did firstboot -y (factory reset?) and then flashed 24.10.5., I think this file (or faked that file)

https://downloads.openwrt.org/releases/24.10.5/targets/ramips/mt7621/openwrt-24.10.5-ramips-mt7621-asus_rt-ax53u-squashfs-sysupgrade.bin

Not very long after I installed that second one my instagram account was infiltrated.

All help or thoughts are appreciated.

Thank you.

2

Who exactlly (names)

  1. No, openwrt can not break SSL/TLS
  2. No, openwrt can not break SSL/TLS

You should hire professional forensics on all your devices where login tokens weere kept. Including whether you knowingly loaded backdoored files from a non-openwrt site on your router.

3

Just FYI I am still a bit noob in these things so that's why I am asking. I should have the ROM files on my computer (which is currently powered off for safety) so I guess it should be easy to check if I installed the originals.

Sorry I am still in a bit of panic as I am not sure of if this attack is going to continue and I soon get email that another profile has been logged into.

4

You were rude enough to guilt OpenWrt, so your noobnrss is against you here.

Compare image checksums with official downloads

You need to seek "computer" help somewhere else,

especially how to checksum file without connecting anywhere.

5

Has got nothing to do with your router, no matter what firmware it runs. Unless you have installed CA certificates of unknown origin to your hacked device the chances of breaking encrypted TLS session are VERY low. At least in wild nature, I'm not talking about academic studies. Flash LineageOS if your device supports it, or at least reflash it with original firmware. And don't install all the sh...t you can find on Play Market.