CSA Ghana Flags “FortiBleed” Cyber Campaign Hitting Fortinet Firewalls

The Cyber Security Authority of Ghana has issued a warning about a widespread cybercrime campaign known as “FortiBleed” that is targeting Fortinet FortiGate firewalls and SSL VPN gateways used by organisations across the country.

According to the CSA, the attackers are not relying on a new software vulnerability. Instead, they are breaking into systems by exploiting weak credential practices.

The campaign uses automated scanning to find Fortinet devices that are exposed to the internet, then runs password-spraying attacks using huge collections of usernames and passwords leaked from previous data breaches.

When the right combination is found, attackers log in, catalogue the credentials, and reuse them to access other systems at scale.

Once inside a network, the CSA says threat actors can monitor traffic, capture authentication details, and create backdoors to maintain access.

That foothold often leads to deeper compromise, with attackers moving laterally across internal systems, escalating privileges, and eventually targeting core infrastructure such as Active Directory.

The Authority says Ghanaian organisations are most vulnerable if they leave administrative and VPN login portals open to the public internet, use passwords that are weak, reused, or rarely changed, and fail to enforce multi-factor authentication for remote access.

Allowing administrator logins from any IP address rather than restricting them to trusted networks also increases exposure.

The CSA is urging IT teams to watch for signs that an attack may already be underway.

These include user logins from unusual locations or at strange times, a pattern of repeated failed login attempts followed suddenly by a successful one, new administrator accounts that no one authorised, unexpected changes to firewall settings, abnormal VPN usage such as multiple concurrent sessions, and outbound connections to unfamiliar IP addresses.

The Authority says any of these indicators should trigger an immediate security response.

To counter the threat, the CSA is calling for urgent action by organisations to reset all administrative and VPN passwords, enforce multi-factor authentication for every remote and admin login, and require strong, unique passwords.

Beyond that, the Authority recommends locking down management interfaces to allow access only from trusted IP addresses, disabling any unsecured or unnecessary services, and keeping Fortinet devices updated with the latest vendor firmware.

Continuous monitoring of firewall, VPN, and authentication logs, combined with network segmentation and least-privilege access, will also limit the damage if a breach occurs.

The CSA said it is coordinating with stakeholders and will provide further updates as the investigation into “FortiBleed” continues.

Entities that suspect their systems may be compromised have been advised to contact the Authority’s cybersecurity incident response team.

Story by Hajara Fuseini

Click to read more: https://opemsuo.com/author/hajara-fuseini/