Microsoft has published a detailed advisory on Storm-1175, a China-based cybercriminal group that’s been deploying Medusa ransomware at what Microsoft describes as “high velocity.” The group specifically targets web-facing systems and has hit organisations in Australia, the UK, and the US — with finance, healthcare, and professional services among the hardest-hit sectors. As reported by BleepingComputer, the group has exploited over 16 vulnerabilities across 10 different products, sometimes weaponising flaws before patches are even available.

For wealth management firms and financial advisers, this is particularly relevant. Storm-1175 doesn’t send phishing emails and hope for the best — they scan for unpatched web-facing systems (think VPNs, remote access portals, file transfer tools) and move from initial access to data exfiltration and ransomware deployment in as little as 24 hours. If your firm uses products like GoAnywhere, ConnectWise ScreenConnect, Ivanti Connect Secure, or BeyondTrust, you’re in the crosshairs. Given the Privacy Act obligations around client financial data and the reputational cost of a breach in this sector, the stakes are high.

The practical takeaway is simple but urgent: audit every internet-facing system your firm operates and make sure patches are current. If you’re running any remote access or file transfer tools, check them against Microsoft’s advisory for the specific CVEs being exploited. Disable any web-facing services you don’t actively need, and make sure your endpoint detection is tuned to flag new user account creation and unexpected remote management tools — both hallmarks of Storm-1175’s playbook.

If you’d like a hand reviewing your firm’s exposure or need help prioritising patches, All IT Services works with financial services firms to keep exactly this kind of threat at bay.