Using the MFT server as a jump box to infect other parts of the network.
If you intended a different angle—such as FileCatalyst being targeted by criminals (e.g., ransomware encrypting its configuration files) or the company itself being attacked—let me know and I can adjust the paper accordingly. filecatalyst cybercriminals
Once a web shell is uploaded, the attacker has full control over the server and can execute arbitrary code. CVE-2024-5276: SQL Injection Using the MFT server as a jump box
Attackers used "directory traversal" to place files outside intended folders. because FileCatalyst uses UDP
Welcome to the fast lane of cybercrime, where high-speed transfer protocols are becoming the new weapon of choice for data exfiltration.
FileCatalyst is a proprietary high-speed file transfer protocol (FASP-like) designed for low-latency, high-throughput data movement over long-fat networks (LFNs). While its legitimate users include military, broadcasting, and large-scale enterprise sectors, recent threat intelligence indicates a growing trend of cybercriminals co-opting FileCatalyst servers or using stolen credentials to exfiltrate large datasets. This paper examines three vectors of criminal activity: (1) direct exploitation of unpatched FileCatalyst instances, (2) use of FileCatalyst as a living-off-the-land (LotL) transfer tool post-compromise, and (3) ransomware groups leveraging its speed to stage and steal data prior to encryption (double extortion). We conclude with detection and mitigation strategies for blue teams.
Furthermore, because FileCatalyst uses UDP, it bypasses many of the congestion control mechanisms of TCP that usually trigger network throttling or alerts during a flood.