“Mandiant assesses with high confidence that UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People’s Republic of China,” the Google-owned threat intel team said today.

Intrusions started with overly spammy emails

Mandiant, which described UNC4841 as an “aggressive and skilled” crew, said the intrusion started with emails sent to victim organizations. However, the spies didn’t want the victims to open the email. Instead they used generic subject and message content, poor grammar and placeholder values to make the email look like spam, get flagged by filters and sent straight to the junk folder, and then — hopefully — avoid a full investigation by security analysts.

– Barracuda discovered a critical bug, tracked as CVE-2023-2868, in these appliances on May 19, we’re told, and pushed a patch to all affected products the following day.

At the time, it said miscreants had been abusing the flaw to run remote commands on targeted equipment, hijack them, and deploy data-stealing spyware on the boxes for at least seven months.

Last week, the vendor told customers to “immediately” replace infected kits, even if they received a patch to fix the remote command injection vulnerability. And don’t worry about cost: Barracuda will give all compromised customers a new ESG device for free.

Meanwhile, Mandiant, who has been working with Barracuda to investigate the exploit used and the malware subsequently deployed, today identified a China-based threat group it tracks as UNC4841, and said the snoops targeted a “subset” of Barracuda ESG appliances across several regions and sectors.