Hackers are quickly finding flaws in organizations' cloud infrastructure despite perceptions that the technology is ironclad against cyberattacks.

The big picture: Organizations have invested billions of dollars in recent years to move their digital data from traditional, on-premise enterprise storage solutions to the cloud. That investment is expected to keep growing and reach close to $600 billion this year.

• The high price of relocating data was largely paid for one reason: It's far more difficult for hackers to break into an organization's cloud systems.
• But recent research and incidents underscore how quickly malicious hackers are adapting to the new reality.

Driving the news: Attacks exploiting cloud systems nearly doubled in 2022, and the number of hacking groups that can target the cloud tripled last year, according to a CrowdStrike report released last week.

• A wide-reaching ransomware attack last month targeted a vulnerability in a popular VMware machine used in cloud systems, leaving thousands of systems vulnerable.
• Bloomberg reported last month that the recent exposure of roughly a terabyte of Pentagon emails was likely due to a cloud configuration error.

What they're saying: "As more organizations are moving into the cloud, it becomes a much more attractive target for these threat actors, and they're spending more time and resources trying to get into that environment," Adam Meyers, senior vice president of intelligence at CrowdStrike, told Axios.

• "Everybody is doing it. We've seen 17-year-olds, and we've seen the Russian SVR."

By the numbers: About eight in 10 organizations said they had a cloud security incident in the last year, according to a September report from Venafi.

• 45% of the organizations that faced a cloud security incident experienced at least four attacks during that period, the research found.

Between the lines: The cloud is still far more secure than traditional systems, Meyers said, but a big driver in attacks are the security flaws accidentally injected whenever organizations customize cloud tools for their specific systems.

• Subsequently, most organizations also fail to update their legacy cybersecurity tools to spot those cloud configuration errors, Meyers added.

The intrigue: Many hackers are quickly building skills to target cloud storage because of how rewarding it can be.

• During traditional attacks targeting onsite servers, malicious hackers typically need their own port-scanning tools to detect what systems are in an enterprise and where the weak, exploitable spots are.
• But during cloud attacks, those port scanners aren't needed, Meyers said. Malicious hackers who can navigate a cloud environment can use native tools inside the environment to more stealthily search and determine what data is available.
• "You've created a Mentos of security: crunchy on the outside, soft and chewy on the inside," Meyers said.

Yes, but: Attacks targeting the cloud still start in many of the same ways as on-premise attacks: using stolen employee login credentials.

• For instance, cloud security firm Mitiga warned last week that when hackers use legitimate login credentials to break in, the Google Cloud Platform fails to record a proper activity log of the malicious actor's actions, cyber trade publication Dark Reading reports.

The bottom line: As IT spending on the cloud continues to grow, organizations need to make sure they're also reviewing their security sets to ensure they can handle new, cloud-related obstacles.

A member of a key government oversight board is pushing lawmakers to make reforms to an instrumental intelligence community surveillance power before it's potentially reauthorized this year.

Why it matters: Travis LeBlanc is the first Privacy and Civil Liberties Oversight Board (PCLOB) member to publicly comment on this year's reauthorization fight over Section 702 of the Foreign Intelligence Surveillance Act.

• PCLOB conducts oversight of privacy and surveillance matters involved in the government's counterterrorism efforts, such as FISA Section 702.
• Lawmakers, government officials and advocates often rely on the board's insights to makes decisions during high-stakes Washington surveillance debates.

What they're saying: "Given what I have seen and what I know, I do have several concerns about a clean reauthorization without significant, common-sense reforms to safeguard privacy and civil liberties," LeBlanc said Monday during the State of the Net conference in Washington.

The big picture: Section 702 is on the chopping block as Congress stares down a reauthorization deadline at the end of the year.

• The authority allows intelligence agencies to conduct warrantless surveillance of non-American citizens outside the U.S.
• But Americans' digital communications with non-U.S. people overseas often get swept up in the collection process, and all of the data is stored in a searchable law enforcement database for several years after.

State of play: A group of House Republicans is already considering letting the surveillance authority disappear entirely, Politico reported last week.

• Jake Sullivan, national security adviser at the White House, released a statement last week pushing Congress to reauthorize the "vital intelligence collection authority."
• Meanwhile, the ACLU has issued an online petition calling on lawmakers to let Section 702 expire.

Details: LeBlanc reiterated previous PCLOB recommendations that the intelligence community develop a methodology for when it conducts surveillance and release details about how many U.S. persons' communications are incidentally collected during the process.

• LeBlanc also said it might be better if law enforcement agencies are required to get a warrant before searching Section 702 databases for information about U.S. citizens.

What's next: PCLOB is expected to release a report later in the year detailing recommendations for how Congress and the intelligence community can better balance privacy rights into the 702 program, LeBlanc said.

Researchers have uncovered an ongoing, monthslong malware campaign that's targeting and stealing data from pharmaceutical, IT services and consulting firms through their internet routers.

Driving the news: Researchers at Lumen Technologies released a blog post Monday detailing the malware campaign, dubbed HiatusRAT, which started in July and has already affected at least 100 businesses across Europe, North America and Latin America.

• The attackers are targeting end-of-life DrayTek Vigor router models 2960 and 3900, which are popular with small to midsized businesses and allow users to remotely connect to corporate networks.
• As of mid-February, roughly 4,100 machines were still vulnerable to the attack, according to the researchers.

The big picture: Internet routers have always been a ripe target of hackers given their insecure designs and the amount of data that flows through them.

• The risk jumped during the pandemic as workers relied more heavily on their at-home routers to connect to corporate networks.

Details: Researchers believe hackers are seizing the routers as part of a long-term espionage and data exfiltration operation, although it remains unclear who is behind the campaign.

• The HiatusRAT malware intercepts any data that passes through its systems and sends it to the hackers.
• The malicious actors also set up the infected routers to operate as bots that disperse malicious traffic to victims on other networks, obfuscating whatever trail they leave behind.

What they're saying: "These devices typically live outside the traditional security perimeter, which means they usually are not monitored or updated," said Mark Dehus, director of threat intelligence for Lumen Black Lotus Labs, in a statement.

• "This helps the actor establish and maintain long-term persistence without detection," he added.

Be smart: Lumen Technologies recommends consumers regularly monitor, reboot and install security updates onto their at-home, self-managed routers.

@ D.C.

👀 The Department of Homeland Security has been conducting a little-known domestic surveillance program for years. (Politico)

🔎 FBI searches of American information collected under Section 702 are said to have "dramatically decreased" since the summer of 2021. (New York Times)

📲 Breaking down the political hurdles facing an outright TikTok ban. (Axios)

@ Industry

✈️ JetBlue has hired Keith Anderson away from Warner Bros. Discovery as its chief information security officer. (Cybersecurity Dive)

@ Hackers and hacks

🚓 European law enforcement raided the homes and arrested suspected members of the DoppelPaymer ransomware gang, which is linked to a deadly attack on a German hospital in 2020. (CyberScoop)

👾 The Play ransomware gang has started leaking data stolen from the City of Oakland following a recent attack. (BleepingComputer)

📞 Scammers are increasingly using AI chatbots to impersonate loved ones in phone calls attempting to trick people into sending thousands of dollars. (Washington Post)

This one goes out to all my "Vanderpump Rules" fans (a niche crossover, I know):

• What exactly am I supposed to do with this cocktail book after the explosive fandom news over the weekend??? It feels awkward to keep it and also wrong to throw it out. I'll take any suggestions you have.