Threat Analysis: Attackers Targeting FileCatalyst Deployments Executive Summary FileCatalyst is a high-speed file transfer solution widely used in media, entertainment, and enterprise sectors for transferring large assets. Because these systems often sit at the network edge and handle high-value intellectual property, they have become a prime target for attackers. Recent threat intelligence indicates that attackers are shifting focus from generic web servers to specialized file-transfer appliances (similar to attacks seen against Accellion FTA and MoveIT). Attackers are actively scanning for exposed FileCatalyst web interfaces to exploit misconfigurations, legacy vulnerabilities, and weak authentication mechanisms to exfiltrate sensitive data.
1. Attacker Profile and Motivation Attackers targeting FileCatalyst typically fall into three categories:
Ransomware Actors (Double Extortion): Attackers gain access to steal data before encrypting systems. The stolen files (e.g., unreleased footage, engineering blueprints) are used as leverage for extortion. Cyber Espionage (APT Groups): Advanced Persistent Threat groups target specific organizations (Media, Government, Manufacturing) to intercept confidential files in transit. Opportunistic Botnets: Automated scanners looking for exposed management portals to enlist the server into botnets for DDoS attacks or cryptomining.
2. Common Attack Vectors A. Exploitation of Legacy Vulnerabilities Attackers actively scan for FileCatalyst instances running outdated versions (specifically FileCatalyst Direct and older Webmail versions). filecatalyst attackers
CVE-2020-25200: A vulnerability in FileCatalyst Workflow allowed attackers to read arbitrary files from the server (Path Traversal). This is often used to steal configuration files and passwords. CVE-2020-25201: An authentication bypass vulnerability allowing unauthorized administrative access. Mechanism: Attackers use tools like Nuclei or Shodan to identify servers running version numbers vulnerable to these exploits.
B. Default Credential Abuse A significant percentage of compromises occur because default credentials were never changed.
Target: The FileCatalyst Management Console (admin interface). Attack: Attackers attempt to log in using default username/password combinations (often admin / admin or admin / password ). Once inside, they can create new user accounts or modify workflows to redirect files. Attackers are actively scanning for exposed FileCatalyst web
C. Exposed Administrative Interfaces FileCatalyst requires a management port (often port 8080, 8443, or 24000+ depending on the configuration).
The Attack: If this port is exposed to the public internet without a VPN or IP whitelist, attackers can brute-force credentials. Consequence: Unlike the user portal, the admin portal controls the file system paths. Gaining access here grants full control over where files are stored and who can access them.
D. Supply Chain / Third-Party Integrations FileCatalyst often integrates with email servers for notifications. Attackers target the SMTP configuration within FileCatalyst to use the server as a relay for phishing campaigns, spoofing internal emails to steal further credentials. The stolen files (e
3. Indicators of Compromise (IOCs) Security teams should monitor logs for the following indicators:
Unexpected GET/POST Requests: