Gestern stellte ich fest das Managesieve in Roundcube nicht mehr funktioniert, keine Ahnung seit wann dem so ist Seit vielen Jahren habe ich einen eigenen Mailserver am laufen #ChatGPT #Config #Google #Linux #Mailserver #Managesieve #PHP #Roundcube

the "recent" update of the "Roundcube Webmail" software (1.5.6) …

… gave me a little headache for a while. The new default “interface skin” “Elastic” only allowed “Widescreen” as mailbox view layout, but I like “Desktop” as mailbox view better, and that’s only available with the other skins. “Desktop” has the mail preview below the list of the mail messages. And for searches resp. their matches it shows the folders, where the matching message lives in. I find…

View On WordPress

Roundcube se ha «fusionado» oficialmente con Nextcloud

Heey, esto me interesa. Voy a actualizar a ver como está, aunque me da pereza hacerlo por culpa de lo complicado que es por el error que me sale de actualización jajaja

Heey, esto me interesa. Voy a actualizar a ver como está, aunque me da pereza hacerlo por culpa de lo complicado que es por el error que me sale de actualización jajaja Hace poco se dio a conocer la noticia de que Nextcloud anunció la incorporación del cliente de correo electrónico Roundcube, lo cual se traduce en buenas noticias para los usuarios del cliente de Roundcube, pues con esta…

View On WordPress

Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers

ESET Research ESET Research recommends updating Roundcube Webmail to the latest available version as soon as possible Matthieu Faou 25 Oct 2023  •  , 5 min. read ESET Research has been closely tracking the cyberespionage operations of Winter Vivern for more than a year and, during our routine monitoring, we found that the group began exploiting a zero-day XSS vulnerability in the Roundcube…

View On WordPress

Are you searching for a way to transfer Roundcube webmail to Gmail? Here is the best solution. #Roundcube #Webmail #Gmail #Google #Workspace #UpdatesInsider #UI

Follow our detailed guide to learn the simple steps to change your time zone settings effortlessly in cPanel Roundcube Webmail.

I'm sure you get lots of questions abt it, but where do you even start when it comes to character modelling? I've tried a couple times and can't get any of the shapes I want.. especially not these much larger body shapes. How do you do that?

I started with Minecraft skins. Switched to Blockbench, made my sona immediately, used that for less than a month. Instead of going head first into Blender I spent a few months building up to my sona again in December 2023. Did my best and then moved onto new characters. Artfight in July 2024, I made 17 heads, and burned out halfway through. I was sick and tired, I wanted to make BODIES and for them to look GREAT Instead of just going with what's in my head, I found plus size models and artists I liked, I used references, I used my own body. I made test bodies that were to be changed and tweaked for a month until I was satisfied with the result. This spawned Nia and Roxanne 3.0 in August. Hips, bellies, boobs, asses, they jut out, they are weight, they sag. Legs need space between them. These were details I tried to beat a subdivided cube into. But you need more than that. I always start from scratch, with a mirror modifier. I scale and extrude from a cube to the rough outline of my reference. For wider hips I extrude the sides of the lower half, move vertices in shape. This gives me space to extrude something for the pubic area. To big bellies and butts I extrude and then by each vertex I round them off. For boobs, I prefer to merge roundcubes to the chest. Alot of it is playing around with the exact shape until you like it, or it fits the reference. Finally, I do baked in lighting and shading on my texture, which really carries it to the end. When I started on Sybil last December, it took me 4 tries from scratch to get her body right. Each time I looked for more references for help. Until I distilled the pancake/fat fold into as simple a shape as possible and added stripes to her texture where they were needed. There is alot of overlap in her mesh, I think it's inevitable when you're trying to do this sort of thing, otherwise stuff looks like it's floating, or weirdly avoiding contact. This might be too long, but I hope it helps 💖 Also if you are doing low poly check out Voxid's tutorials just a solid guide to help you on all aspects of the process.

I'm squareball

and I'm roundcube

the shapes brothers

Exploited Vulnerability Impacts Over 80,000 Roundcube Servers

Source: https://www.securityweek.com/exploited-vulnerability-impacts-over-80000-roundcube-servers/

More info: https://fearsoff.org/research/roundcube

Critical XSS bug in Roundcube Webmail allows attackers to steal emails and sensitive data

http://i.securitythinkingcap.com/TBdVkx

Webmail là một dạng ứng dụng email được phát triển trên nền tảng website, cho phép người dùng truy cập vào máy chủ email để gửi và nhận thư điện tử một cách nhanh chóng. Với khả năng quản lý, xử lý, nhận và gửi thư trực tuyến, Webmail có thể truy cập thông qua nhiều loại thiết bị khác nhau.

[ad_1] This blogpost introduces an operation that we named RoundPress, targeting high-value webmail servers with XSS vulnerabilities, and that we assess with medium confidence is run by the Sednit cyberespionage group. The ultimate goal of this operation is to steal confidential data from specific email accounts. Key points of this blogpost: In Operation RoundPress, the compromise vector is a spearphishing email leveraging an XSS vulnerability to inject malicious JavaScript code into the victim’s webmail page. In 2023, Operation RoundPress only targeted Roundcube, but in 2024 it expanded to other webmail software including Horde, MDaemon, and Zimbra. For MDaemon, Sednit used a zero-day XSS vulnerability. We reported the vulnerability to the developers on November 1st, 2024 and it was patched in version 24.5.1. Most victims are governmental entities and defense companies in Eastern Europe, although we have observed governments in Africa, Europe, and South America being targeted as well. We provide an analysis of the JavaScript payloads SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA. These payloads are able to steal webmail credentials, and exfiltrate contacts and email messages from the victim’s mailbox. Additionally, SpyPress.MDAEMON is able to set up a bypass for two-factor authentication. Sednit profile The Sednit group – also known as APT28, Fancy Bear, Forest Blizzard, or Sofacy – has been operating since at least 2004. The US Department of Justice named the group as one of those responsible for the Democratic National Committee (DNC) hack just before the 2016 US elections and linked the group to the GRU. The group is also presumed to be behind the hacking of global television network TV5Monde, the World Anti-Doping Agency (WADA) email leak, and many other incidents. Sednit has a diversified set of malware tools in its arsenal, several examples of which we have documented previously in our Sednit white paper from 2016. Links to Sednit On September 29th, 2023, we detected a spearphishing email, part of Operation RoundPress, sent from katecohen1984@portugalmail[.]pt (envelope-from address). The email exploited CVE‑2023‑43770 in Roundcube. This email address is very similar to the ones used in other Sednit campaigns in 2023, as documented by Unit42 for example. Leveraging a network scan we ran in February 2022, we found the server 45.138.87[.]250 / ceriossl[.]info, which was configured in the same unique way as 77.243.181[.]238 / global-world-news[.]net. The former was mentioned in a Qianxin blogpost describing a campaign abusing CVE-2023-23397 that attributed it to Sednit. The latter is a domain used in Operation RoundPress in 2023. Given these two elements, we believe with medium confidence that Operation RoundPress is carried out by Sednit. Victimology Table 1 and Figure 1 detail targets of Operation RoundPress in 2024, from ESET telemetry and two samples on VirusTotal. Most of the targets are related to the current war in Ukraine; they are either Ukrainian governmental entities or defense companies in Bulgaria and Romania. Notably, some of these defense companies are producing Soviet-era weapons to be sent to Ukraine. Other targets include African, EU, and South American governments. Table 1. Operation RoundPress victims in 2024 Date Country Sector 2024-05 Greece National government. Romania Unknown (VirusTotal submission). Ukraine Specialized Prosecutor’s Office in the Field of Defense of the Western Region (VirusTotal submission). 2024-06 Bulgaria Telecommunications for the defense sector. Cameroon National government. Ukraine Military. 2024-07 Ecuador Military. Ukraine Regional government. Serbia National government. 2024-09 Cyprus An academic in environmental studies. Romania Defense company. Ukraine Military. 2024-10 Bulgaria Defense company. 2024-11 Bulgaria Defense company (not the same as in 2024-10). Ukraine Civil air transport company. Defense company. 2024-12 Ukraine State company in the transportation sector. Figure 1. Map of operation RoundPress victims in 2024 Compromise chain Initial access In 2023, Sednit was exploiting CVE-2020-35730, a known XSS vulnerability in Roundcube (see this CERT-UA blogpost and this Recorded Future report), which enables the loading of arbitrary JavaScript code in the context of the webmail window. In 2024, we observed different XSS vulnerabilities being used to target additional webmail software: Horde, MDaemon, and Zimbra. Sednit also started to use a more recent vulnerability in Roundcube, CVE-2023-43770. The MDaemon vulnerability (CVE-2024-11182, now patched) was a zero day, most likely discovered by Sednit, while the ones for Horde, Roundcube, and Zimbra were already known and patched. Sednit sends these XSS exploits by email. The exploits lead to the execution of malicious JavaScript code in the context of the webmail client web page running in a browser window. Therefore, only data accessible from the victim’s account can be read and exfiltrated. Note that, in order for the exploit to work, the target must be convinced to open the email message in the vulnerable webmail portal. This means that the email needs to bypass any spam filtering and the subject line needs to be convincing enough to entice the target into reading the email message. Figure 2 summarizes the compromise chain used in Operation RoundPress. Figure 2. Operation RoundPress compromise chain Generally, the email message looks benign and contains text about news events. For example, on September 11th, 2024, a Ukrainian target received a phishing email from kyivinfo24@ukr[.]net with the subject СБУ схопила банкіра, який працював на ворожу воєнну розвідку в Харкові (machine translation: SBU arrested a banker who worked for enemy military intelligence in Kharkiv). The message body – see Figure 3 – contains excerpts (in Ukrainian) and links to articles from Kyiv Post, a well-known newspaper in Ukraine. The malicious code that triggers the XSS vulnerability is inside the HTML code of the email message’s body and is not directly visible to the user. Figure 3. Malicious email message sent by Sednit Another example is an email from office@terembg[.]com to a Bulgarian target on November 8th, 2024, with the subject Путин се стреми Тръмп да приеме руските условия вдвустранните отношения (machine translation: Putin seeks Trump’s acceptance of Russian conditions in bilateral relations). The message body – see Figure 4 – again contains excerpts (in Bulgarian) and links to articles from News.bg, a legitimate Bulgarian newspaper. Figure 4. Another malicious email sent by Sednit Note that some of these vulnerabilities are not of interest exclusively to this group: GreenCube (also known as UNC3707) and Winter Vivern have been exploiting them as well. Horde: Unknown exploit For targets using Horde webmail, we have seen Sednit using an old vulnerability. We were unable to find the exact vulnerability, but it appears to be an XSS flaw that was already fixed in the first version of Xss.php committed to GitHub, and in Horde Webmail 1.0, which was released in 2007. The intended exploit used by Sednit is shown in Figure 5. Placing malicious JavaScript code in the onerror attribute of an img element is a technique taken straight from the XSS playbook: because the src attribute is x, an undefined value, onerror is called and the payload is base64 decoded and then evaluated using window.parent.eval. Figure 5. Horde webmail exploit In Horde Webmail version 1.0, the XSS filter removes the style elements and the on* attributes, such as onerror. Thus, we believe that Sednit made a mistake and tried to use a nonworking exploit. MDaemon: CVE-2024-11182 On November 1st, 2024, we detected an email message sent to two Ukrainian state-owned defense companies and a Ukrainian civil air transport company. This message exploited a zero-day XSS vulnerability in MDaemon Email Server, in the rendering of untrusted HTML code in email messages. We reported the vulnerability to the developers on November 1st, 2024 and it was patched in version 24.5.1, which was released on November 14th, 2024; we then issued CVE-2024-11182 for it. The exploit used by Sednit is shown in Figure 6. Just as for Horde, it relies on a specially crafted img element, but uses a bug in the MDaemon HTML parser where a noembed end tag inserted within the title attribute of a p element tricks the parser into rendering the immediately succeeding img tag. Figure 6. Exploit for CVE-2024-11182 in MDaemon Roundcube: CVE-2023-43770 For targets using Roundcube webmail: in 2023, Sednit used the XSS vulnerability CVE‑2020‑35730, while in 2024, it switched to CVE-2023-43770. The more recent vulnerability was patched on September 14th, 2023 in this GitHub commit. The fix is in a regex in the rcube_string_replacer.php script. The exploit used by Sednit is quite simple and is depicted in Figure 7. Figure 7. Exploit for CVE-2023-43770 in Roundcube In rcube_string_replacer.php, URLs are converted to hyperlinks, and the hyperlink text is what is expected to be provided between the outer set of square brackets. The bug lies in the fact that the hyperlink text is not properly sanitized, allowing the characters . This enables an attacker to provide JavaScript code contained between and , which is directly added to the page when the email is rendered in Roundcube. Zimbra: CVE-2024-27443 / ZBUG-3730 For Zimbra, Sednit uses CVE-2024-27443 (also tracked as ZBUG-3730). It was patched on March 1st, 2024 in this GitHub commit, in the ZmInviteMsgView.js file. The vulnerability lies in failing to sanitize the cif (calendar intended for) attribute, in a calendar invitation sent by email. The cif attribute is populated from the email header X-Zimbra-Calendar-Intended-For. Before the patch, the value was directly added to the Zimbra HTML page without sanitization. This allowed the execution of malicious JavaScript code in the context of the webmail browser window. The exploit code that we found in this header is the following: Zimbra Calendar The beautified code contained in the onerror attribute is: window['eval'](window[(function(jvqka){'atob'()](frames[0].document.getElementById('a-cashed-skinLayout2')['innerText'])) Basically, this reads the text contained in a div element, identified by ID a-cashed-skinLayout2, that is present in the body of the calendar invite. This div element uses the style attribute with the value display:none so that it is not visible to the target. The inner text contains base64-encoded JavaScript code that is run using eval. Persistence The JavaScript payloads (SpyPress) loaded by the XSS vulnerabilities don’t have true persistence, but they are reloaded every time the victim opens the malicious email. In addition, we detected a few SpyPress.ROUNDCUBE payloads that have the ability to create Sieve rules. SpyPress.ROUNDCUBE creates a rule that will send a copy of every incoming email to an attacker-controlled email address. Sieve rules are a feature of Roundcube and therefore the rule will be executed even if the malicious script is no longer running. Credential access All SpyPress payloads have the ability to steal webmail credentials by trying to trick the browser or password manager to fill webmail credentials into a hidden form. In addition, some samples also try to trick the victim by logging them out of their webmail account and displaying a fake login page. Collection and exfiltration Most SpyPress payloads collect email messages and contact information from the victim’s mailbox. The data is then exfiltrated via an HTTP POST request to a hardcoded C&C server. Toolset In 2024, we have observed Sednit using four payloads in Operation RoundPress: SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA. They are injected into the victims’ webmail context using XSS vulnerabilities, as explained above. The four payloads have common characteristics. All are similarly obfuscated, with variable and function names replaced with random-looking strings – see Figure 8. Furthermore, strings used by the code, such as webmail and C&C server URLs, are also obfuscated and contained in an encrypted list. Each of those strings is only decrypted when it is used. Note that the variable and function names are randomized for each sample, so the final SpyPress payloads will have different hashes. Figure 8. Obfuscation of the JavaScript code Another common characteristic is that there are no persistence or update mechanisms. The payload is fully contained in the email and only executed when the email message is viewed from a vulnerable webmail instance. Finally, all payloads communicate with their hardcoded C&C servers via HTTP POST requests. There is a small number of C&C servers that are shared by all payloads (there is no separation by victim or payload type). SpyPress.HORDE SpyPress.HORDE is the JavaScript payload injected into vulnerable Horde webmail instances. Once deobfuscated, and functions and variables are manually renamed, it reveals its main functionality: collecting and exfiltrating user credentials. Capabilities To steal credentials, as shown in Figure 9, SpyPress.HORDE creates two HTML input elements: horde_user and horde_pass. Their width and opacity are set to 0%, ensuring that they are not visible to the user. The goal is to trick browsers and password managers into filling those values. Note that a callback for the change event is created on the input horde_pass. This calls the function input_password_on_change as soon as the input element loses focus after its value is changed. Figure 9. SpyPress.HORDE credential stealer Then, input_password_on_change exfiltrates the data by calling C2_POST_Request, as can be seen in Figure 10. Network protocol The C&C URL is hardcoded in the script (see Figure 10) and the exfiltration is done via an HTTPS POST request. The body data has a specific format that is sent base64 encoded. For example, bWVAdmljdGltLm9yZyA6OiBweAoKbXl1c2VybmFtZSBteXBhc3N3b3Jk decodes to: [email protected] :: px   myusername mypassword where px probably means password exfiltration. Note that the HTTP request is made by the victim’s browser, so HTTP headers such as the User-Agent will vary from victim to victim. Figure 10. SpyPress.HORDE data exfiltration SpyPress.MDAEMON SpyPress.MDAEMON is a JavaScript payload injected into vulnerable MDaemon webmail instances. Once deobfuscated, it reveals more functionality than what was implemented in SpyPress.HORDE: credential stealing (very similar to the SpyPress.HORDE implementation), exfiltration of contacts and login history, exfiltration of email messages, exfiltration of the two-factor authentication secret, and creation of an App Password, which enables attackers to access the mailbox from a mail application and to bypass 2FA protection. Capabilities Credential stealer The credential stealer of SpyPress.MDAEMON is almost identical to that of SpyPress.HORDE – see Figure 11. The only difference is the name of the input fields, which are User and Password, to match the official names used in the MDaemon software. Figure 11. SpyPress.MDAEMON credential stealer Contacts and login history SpyPress.MDAEMON obtains the victim’s login history from https:///WorldClient.dll?Session=&View=Options-Authentication&GetLoginHistory=Yes, and exfiltrates the content to the hardcoded C&C server. It uses the same function used in the credential stealer part to send an HTTP POST request to the C&C server, but instead of px, it uses ab as the message type. Then, as shown in Figure 12, the script obtains the victim’s contact list from https:///WorldClient.dll?Session=&View=Contacts. This list, and the associated email addresses (in the eml JavaScript property), are then exfiltrated to the C&C server. Figure 12. Exfiltration of login history and contacts Email message exfiltration SpyPress.MDAEMON browses the victim’s mailbox folders, as shown in Figure 13, and filters out a hardcoded list of folders the attackers are not interested in: calendar, notes, documents, contacts, tasks, allowed senders, and blocked senders. Figure 13. SpyPress.MDAEMON browses the victim’s mailbox folders Then, for each folder, as shown in Figure 14, SpyPress.MDAEMON iterates over the pages and then over all messages in each page, before exfiltrating each email to the C&C server. To get a list of email messages in a given folder page, SpyPress.MDAEMON fetches https:///WorldClient.dll?Session=&View=List&ReturnJavaScript=1&FolderID=&Sort=RevDate&Page=&UTF8=1. Then, it iterates over this list and fetches https:///WorldClient.dll?Session=& View=Message&Source=Yes&Number=&FolderId= to get the source of each email. Finally, the email source is exfiltrated via an HTTP POST request to the C&C server, using the message type mail--. An HTTP POST request is made for each exfiltrated email, and thus it will create a large amount of network traffic. Note that the script maintains a list of exfiltrated emails, thereby avoiding the exfiltration several times. Figure 14. SpyPress.MDAEMON exfiltrates all emails Also note that the obfuscator seems to have introduced errors in the script. In the function download_all_messages_from_folder, is_folder_limit is a real variable name that was left unobfuscated. However, it is not used anywhere in the code. Two-factor authentication secret SpyPress.MDAEMON exfiltrates the victim’s two-factor authentication secret – see Figure 15. It first fetches https:///WorldClient.dll?Session=&View=Options-Authentication&TwoFactorAuth=Yes&GetSecret=Yes to get the secret, and then sends it to the C&C server, using the message type 2fa. To view the secret, the password is required, which SpyPress.MDAEMON gets from the fake login form it created. This secret is equivalent to the QR code mentioned in MDaemon documentation and it can be used to register the account in an authentication app, to then generate a valid 2FA code for the victim’s account. Because SpyPress.MDAEMON acquires the password and the 2FA secret, attackers will be able to log into the account directly. Figure 15. SpyPress.MDAEMON exfiltrates the 2FA secret App Password creation In addition to stealing the 2FA secret, SpyPress.MDAEMON creates an App Password (see the documentation). This password can be used in an email client to send and receive messages, without having to enter the 2FA code, even if 2FA is activated for the account. Note that MDaemon webmail doesn’t seem to require a 2FA code to generate a new application password. As shown in Figure 16, SpyPress.MDAEMON fetches https:///WorldClient.dll?Session=&View=Options-Authentication&CreateAppPassword=1s to create a new application password. The reply is this password, which is exfiltrated to the C&C server with the message type create-app. In other words, this application password enables attackers to add the email account directly to their own email client. They can thereby keep access to the mailbox even if the main password of the victim’s account is changed or if the 2FA code is changed. Figure 16. SpyPress.MDAEMON creates an application password Network protocol SpyPress.MDAEMON uses the same network protocol as SpyPress.HORDE. SpyPress.ROUNDCUBE SpyPress.ROUNDCUBE is the JavaScript payload injected into vulnerable Roundcube webmail instances. Once deobfuscated, it reveals similar functionalities to what is implemented in SpyPress.MDAEMON: credential stealing, exfiltration of the address book and the about page, exfiltration of emails, and malicious Sieve rules. Capabilities Credential stealer The credential stealer of SpyPress.ROUNDCUBE has two features. The first one is almost identical to the credential stealer of SpyPress.HORDE and SpyPress.MDAEMON. The only difference is the name of the input fields, which are _user and _pass, to match the official names used in the Roundcube software. The second feature is slightly more intrusive. SpyPress.ROUNDCUBE creates an iframe, as shown in Figure 17, with the src attribute set to https:///?_task=logout&_token=. This logs the victim out, forcing them to reenter their credentials. SpyPress.ROUNDCUBE adds a callback on the submit button of the genuine login form. Finally, the credentials are exfiltrated to the hardcoded C&C server using the message type pax-fish. Figure 17. SpyPress.ROUNDCUBE creates an iframe to log out the victim Note that the CSRF token is retrieved from the variable rcmail.env.request_token. The rcmail global variable is managed and filled by the Roundcube instance, and accessible in the JavaScript context that SpyPress.ROUNDCUBE is running in. Exfiltration of the address book and the about page SpyPress.ROUNDCUBE fetches the address book at https:///?_task=addressbook&_source=0&_action=export&&_token= and sends the raw output to the C&C server. Similarly, SpyPress.ROUNDCUBE fetches the about page at https:///?_task=settings&_framed=1&_action=about and sends the raw output to the C&C server. That page contains information about the Roundcube version and the plugins installed, as shown in Figure 18. Figure 18. Example of Roundcube about page Email message exfiltration SpyPress.ROUNDCUBE starts the email exfiltration routine every 7,200 seconds (two hours). First, it gets the list of mailboxes from the global variable rcmail.env.mailboxes. Then, it iterates over all those mailboxes; for each of them, it iterates over the pages to get the email message IDs by fetching https:///?_task=mail&_action=list&_mbox=&_refresh=1&_remote=1&_page=. Note that SpyPress.ROUNDCUBE adds the HTTP header X-Roundcube-Request, which contains the CSRF token. Also note that there is a lower bound time hardcoded in the script, 6:02:03 am, October 1st, 2024 in the specific script sample we analyzed, and only emails more recent than this are exfiltrated. The source of each email message is fetched from https:///?_task=mail&_mbox=&_uid=&_action=viewsource and then exfiltrated to the C&C server. Note that if SpyPress.ROUNDCUBE has exfiltrated more than 150 emails in a row, it stops the exfiltration until the next execution of the email exfiltration routine (two hours later). This is probably done to limit the noise on the victim’s network and avoid detection. Malicious Sieve rules In some SpyPress.ROUNDCUBE samples, there is additional functionality related to Sieve rules – see Figure 19. SpyPress.ROUNDCUBE creates a rule that sends a copy of every incoming email message to an attacker-controlled email address (srezoska@skiff[.]com in this case). Skiff was a privacy-oriented email service that provided end-to-end encryption. Figure 19. SpyPress.ROUNDCUBE creates a malicious Sieve rule Network protocol SpyPress.ROUNDCUBE uses the same network protocol as SpyPress.HORDE. SpyPress.ZIMBRA SpyPress.ZIMBRA is the JavaScript payload injected into vulnerable Zimbra webmail instances. Once deobfuscated, it reveals similar functionalities to the previous payloads: credential stealing, exfiltration of contacts and settings, and exfiltration of email messages. Capabilities Credential stealer The credential stealer of SpyPress.ZIMBRA is almost identical to those of SpyPress.HORDE and SpyPress.MDAEMON. The only difference is the name of the input fields, which are username and password, to match the official names used in the Zimbra software. Exfiltration of contacts and settings SpyPress.ZIMBRA fetches the victim’s contact list by making a SOAP request to the Zimbra API endpoint https:///service/soap/SearchRequest. As shown in Figure 20, the search query is contained in a dictionary that it is sent to the Zimbra server in the body of a POST request. Finally, SpyPress.ZIMBRA exfiltrates the raw output to the C&C server. Figure 20. SpyPress.ZIMBRA gets the victim’s contact list SpyPress.ZIMBRA also exfiltrates to the C&C server the content of the global variable ZmSetting, which contains various configuration and preference values. This is similar to SpyPress.ROUNDCUBE, which exfiltrates the about page. Email exfiltration Every 14,400 seconds (four hours), using the setInterval function, this payload starts its email exfiltration routine. As for the previous payloads, SpyPress.ZIMBRA first lists the folders, then iterates over the first 80 emails in each folder via a SOAP request to https:///service/soap/SearchRequest. For each message, the script fetches the source at https:///service/home/~/?auth=co&view=text&id= and then exfiltrates the email message source – see Figure 21. Figure 21.SpyPress.ZIMBRA exfiltrates email messages Network protocol SpyPress.ZIMBRA uses the same network protocol as SpyPress.HORDE. Conclusion Over the past two years, webmail servers such as Roundcube and Zimbra have been a major target for several espionage groups such as Sednit, GreenCube, and Winter Vivern. Because many organizations don’t keep their webmail servers up to date and because the vulnerabilities can be triggered remotely by sending an email message, it is very convenient for attackers to target such servers for email theft. For any inquiries about our research published on WeLiveSecurity, please contact us at [email protected].  ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page. IoCs A comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository. Files SHA-1 Filename Detection Description 41FE2EFB38E0C7DD10E6009A68BD26687D6DBF4C N/A JS/Agent.RSO SpyPress.ZIMBRA. 60D592765B0F4E08078D42B2F3DE4F5767F88773 N/A JS/Exploit.Agent.NSH XSS exploit for CVE-2023-43770. 1078C587FE2B246D618AF74D157F941078477579 N/A JS/Exploit.Agent.NSH SpyPress.ROUNDCUBE. 8EBBBC9EB54E216EFFB437A28B9F2C7C9DA3A0FA N/A HTML/Phishing.Agent.GNZ XSS exploit for CVE-2024-11182. F95F26F1C097D4CA38304ECC692DBAC7424A5E8D N/A HTML/Phishing.Agent.GNZ SpyPress.MDAEMON. 2664593E2F5DCFDA9AAA1A2DF7C4CE7EEB1EDBB6 N/A JS/Agent.SJU Probable XSS exploit for Horde. B6C340549700470C651031865C2772D3A4C81310 N/A JS/Agent.SJU SpyPress.HORDE. 65A8D221B9ECED76B9C17A3E1992DF9B085CECD7 N/A HTML/Phishing.Gen SpyPress.ROUNDCUBE. 6EF845938F064DE39F4BF6450119A0CDBB61378C N/A N/A Email exploiting CVE-2023-43770, found on VirusTotal. 8E6C07F38EF920B5154FD081BA252B9295E8184D N/A JS/Agent.RSP SpyPress.ROUNDCUBE. AD3C590D1C0963D62702445E8108DB025EEBEC70 N/A JS/Agent.RSN SpyPress.ZIMBRA. EBF794E421BE60C9532091EB432C1977517D1BE5 N/A JS/Agent.RTD SpyPress.ROUNDCUBE. F81DE9584F0BF3E55C6CF1B465F00B2671DAA230 N/A JS/Agent.RWO SpyPress.ROUNDCUBE. A5948E1E45D50A8DB063D7DFA5B6F6E249F61652 N/A JS/Exploit.Agent.NSG XSS exploit for CVE-2023-43770. Network IP Domain Hosting provider First seen Details 185.225.69[.]223 sqj[.]fr 23VNet Kft. 2024‑06‑01 SpyPress C&C server. 193.29.104[.]152 tgh24[.]xyztuo[.]world GLOBALAXS NOC PARIS 2024‑06‑04 SpyPress C&C server. 45.137.222[.]24 lsjb[.]digital Belcloud Administration 2024‑07‑03 SpyPress C&C server. 91.237.124[.]164 jiaw[.]shop HOSTGNOME LTD 2023‑09‑28 SpyPress C&C server. 185.195.237[.]106 hfuu[.]de Network engineer 2024‑06‑03 SpyPress C&C server. 91.237.124[.]153 raxia[.]top Damien Cutler 2024‑06‑03 SpyPress C&C server. 146.70.125[.]79 rnl[.]world GLOBALAXS NOC PARIS 2024‑06‑07 SpyPress C&C server. 89.44.9[.]74 hijx[.]xyz M247 Europe SRL 2024‑07‑05 SpyPress C&C server. 111.90.151[.]167 ikses[.]net Shinjiru Technology Sdn Bhd 2024‑12‑01 SpyPress C&C server. MITRE ATT&CK techniques This table was built using version 17 of the MITRE ATT&CK framework. Tactic ID Name Description Resource Development T1583.001 Acquire Infrastructure: Domains Sednit bought domains at various registrars. T1583.004 Acquire Infrastructure: Server Sednit rented servers at M247 and other hosting providers. T1587.004 Develop Capabilities: Exploits Sednit developed (or acquired) XSS exploits for Roundcube, Zimbra, Horde, and MDaemon. T1587.001 Develop Capabilities: Malware Sednit developed JavaScript stealers (SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA) to steal data from webmail servers. Initial Access T1190 Exploit Public-Facing Application Sednit exploited known and zero-day vulnerabilities in webmail software to execute JavaScript code in the context of the victim’s webmail window. Execution T1203 Exploitation for Client Execution SpyPress payloads are executed when a victim opens the malicious email in a vulnerable webmail client page. Defense Evasion T1027 Obfuscated Files or Information SpyPress payloads are obfuscated with an unknown JavaScript obfuscator. Credential Access T1187 Forced Authentication SpyPress payloads can log out users to entice them into entering their credentials in a fake login form. T1556.006 Modify Authentication Process: Multi-Factor Authentication SpyPress.MDAEMON can steal the 2FA token and create an application password. Discovery T1087.003 Account Discovery: Email Account SpyPress payloads get information about the email account, such as the contact list. Collection T1056.003 Input Capture: Web Portal Capture SpyPress payloads try to steal webmail credentials by creating a hidden login form, to trick the browser and password managers into filling the credentials. T1119 Automated Collection SpyPress payloads automatically collect credentials and email messages. T1114.002 Email Collection: Remote Email Collection SpyPress payloads collect and exfiltrate emails, from the victim’s mailbox. T1114.003 Email Collection: Email Forwarding Rule SpyPress.MDAEMON adds a Sieve rule to forward any incoming email to an attacker-controlled email address. Command and Control T1071.001 Application Layer Protocol: Web Protocols C&C communication is done via HTTPS. T1071.003 Application Layer Protocol: Mail Protocols In case of email forwarding rules, the exfiltration is done via email. T1132.001 Data Encoding: Standard Encoding Data is base64 encoded before being sent to the C&C server. Exfiltration T1020 Automated Exfiltration SpyPress payloads automatically exfiltrate credentials and email messages to the C&C server. T1041 Exfiltration Over C2 Channel SpyPress payloads exfiltrate data over the C&C channel. [ad_2] Source link

Palolem Beach in South Goa is known for its serene beauty, calm waters, and relaxed vibe. If you're looking for a peaceful escape by the beach, here are some of the best resorts in Palolem Beach across different budgets: lets discuss about best resorts in palolem beach

🌟 Luxury & Premium Resorts

1. Art Resort Goa

🎨 Boutique beachfront resort with artistic decor

🏖️ Sea-facing cottages with balconies

🍽️ In-house café and yoga sessions available

2. The LaLiT Golf & Spa Resort (near Palolem)

🏰 Just a short drive from Palolem, offering luxury on a grand scale

🏌️‍♂️ Golf course, spa, and multiple dining options

🌴 Private beach access and large suites

3. Palolem Beach Resort

🛖 Premium beach huts and cottages with garden or sea views

🍴 In-house restaurant and Ayurvedic massage services

👨‍👩‍👧‍👦 Great for families and couples alike

💼 Mid-Range Resorts

4. Marron Sea View Resort

🏝️ Sea-facing wooden cottages right on the beach

🌅 Perfect for sunset views from your balcony

🍽️ Great food and warm hospitality

5. Bhakti Kutir

🌿 Eco-friendly resort surrounded by nature

🛖 Rustic cottages with a peaceful vibe

🧘‍♀️ Yoga, Ayurveda, and organic food

6. Ciarans

🏠 Stylish beach huts and rooms with modern touches

🌊 Located right on the beach with a trendy café-bar

🧑‍🤝‍🧑 Ideal for couples or solo travelers

💰 Budget-Friendly Resorts

7. Cozy Nook

🛖 Budget huts just steps from the beach

🌴 Laid-back atmosphere with hammocks and a beachfront café

🧘‍♂️ Great for backpackers and relaxed travelers

8. Dreamcatcher Resort

🌿 Located slightly off the beach on the riverbank side

🛖 Unique and peaceful setting with yoga and holistic therapies

🍽️ Vegetarian café and artistic vibes

9. Roundcube Beach Bungalows

🏝️ Basic beach huts at a great price

🚶‍♂️ Located right on Palolem Beach

🍽️ Attached restaurant and easy access to nightlife

✅ Conclusion

Palolem Beach offers a variety of resorts, from luxurious beachfront escapes to simple eco-huts under the palm trees. Whether you’re a couple seeking romance, a family looking for comfort, or a backpacker chasing calm vibes, there’s a perfect spot for you at Palolem! 🌊🌴

hope this blog about best resorts in palolem will be helpful for you.

Textures, Tones & Clever Transforms| Studio RoundCube

Using mindful design to make limited space feel inclusive, Studio RoundCube maximises space without compromising comfort in a compact Mumbai home. This quiet, contemporary narrative has every design decision leaning into functionality, flow, and a tactile sense of calm. With space at a premium, the layout is stripped of excess and layered instead with warmth and intuitive design solutions. A story that shares ideas worth visiting.  https://www.indiaartndesign.com/textures-tones-clever-transforms-roundcube-designs/

From Budget to Luxury: The Ultimate Guide to Staying in Palolem Beach

Palolem Beach, located in the southern part of Goa, is a tropical paradise known for its pristine waters, golden sands, and swaying palm trees. Unlike the crowded beaches of North Goa, Palolem offers a more relaxed and serene experience. Whether you're a backpacker traveling on a shoestring budget, a mid-range traveler seeking comfort or a luxury seeker looking for the finest stay, Palolem has something for everyone. This guide will help you explore the best hotels in Palolem beach Goa across different budgets and ensure a memorable stay in this slice of paradise.

Why Stay at Palolem Beach?

Palolem Beach isn’t just about beautiful scenery; it’s a complete experience. Here’s why it should be on your travel list:

Breathtaking Views: The crescent-shaped shoreline offers some of the most picturesque sunsets in Goa.

Peaceful Atmosphere: Unlike the crowded beaches up north, Palolem is a tranquil retreat.

Plenty of Activities: Enjoy kayaking, dolphin watching, yoga retreats, and vibrant nightlife.

Diverse Accommodation Options: From budget-friendly beach huts to luxury villas, there's a perfect stay for every traveler.

Budget-Friendly Stays: Affordable Yet Comfortable

If you are a backpacker or traveling on a limited budget, don’t worry! Palolem has plenty of affordable accommodations that offer comfort without burning a hole in your pocket.

1. Backpacker Hostels

For solo travelers and adventure seekers, hostels provide an economical yet fun option to stay.

Summer by Hostelcrowd: A social atmosphere with clean dormitories and friendly staff.

Hilias Retreat Resort: Ideal for digital nomads and backpackers looking to meet like-minded travelers.

Dreamcatcher Hostel: A vibrant place with a mix of dorms and private rooms.

2. Budget Beach Huts & Guesthouses

A budget trip to Palolem is incomplete without staying in one of the traditional beach huts.

Hilias Retreat Resort: Located right on the shore, these simple huts offer a fantastic view of the sea.

Crystal Goa Palolem: A mix of guesthouse rooms and budget cottages with great hospitality.

Brendon’s Beach Hut: A family-run stay offering homely vibes with basic amenities.

Mid-Range Accommodations: Comfort Meets Affordability

For travelers looking for a bit more comfort while staying within a reasonable budget, mid-range hotels near Palolem Beach provide great value for money.

3. Boutique Hotels & Beach Cottages

These accommodations offer modern amenities with an authentic Goan vibe.

Palolem Beach Resort: A well-maintained property with beachfront cottages and a cozy ambiance.

Hilias Retreat: A peaceful stay offering clean, comfortable rooms just a short walk from the beach.

Roundcube Beach Bungalows: Spacious rooms with attached bathrooms and sea views.

4. Eco-Friendly Resorts

For travelers conscious about sustainability, eco-friendly resorts in Palolem provide a great stay while minimizing the environmental impact.

Hilias Retreat Resort: An artistic retreat offering handmade furniture and an organic restaurant.

Palm Forest Palolem: A stylish eco-retreat surrounded by lush greenery, perfect for nature lovers.

The Nest: A small eco-friendly resort with rustic cottages and an Ayurvedic spa.

Luxury Resorts: Indulgence at Its Best

For those looking to splurge on a lavish experience, Palolem has a handful of luxury accommodations that redefine beachside comfort.

5. Premium Beachfront Resorts

The Lalit Golf & Spa Resort Goa: A 5-star property offering world-class amenities, golf courses, and direct beach access.

Hilias Retreat Resort: A stylish boutique stay known for its personalized service and premium beachfront huts.

La La Land Resort: A luxurious wellness retreat surrounded by tropical gardens with spa services.

How to Choose the Right Stay?

With so many options available, selecting the right accommodation depends on your travel style, budget, and preferences. Here are a few tips:

Book in Advance: Especially if you’re traveling during peak season (November to March), book early to get the best prices.

Consider Your Priorities: Do you want a beachfront location, a quiet retreat, or a vibrant social stay? Choose accordingly.

Check Online Reviews: Read guest reviews on TripAdvisor, Booking.com, or Google to get genuine feedback.

Look for Essential Amenities: Wi-Fi, hot showers, and air conditioning may not be available everywhere, so confirm before booking.

Explore Package Deals: Some resorts offer yoga, spa, or adventure packages at discounted rates.

Best Time to Visit Palolem Beach

The best time to visit Palolem Beach is between November and March, when the weather is pleasant and all beach shacks, restaurants, and water activities are operational. Avoid the monsoon season (June to September) as most accommodations close down due to heavy rains.

Final Thoughts: Which Stay is Best for You?

Whether you're on a budget or seeking luxury, Palolem Beach has an ideal stay for every kind of traveler. Budget travelers can enjoy the social vibe of hostels and beach huts, mid-range travelers can relish the comfort of boutique hotels, and luxury seekers can indulge in high-end beachfront resorts.

So, are you ready to find your perfect stay in Palolem Beach? Book your accommodation, pack your bags, and get ready to experience a tropical paradise like never before!