VMWare Horizon is providing remote desktops for your attackers too
On January 10, Sprocket Security published a paper entitled "Crossing the Log4j Horizon - A Vulnerability With No Return”. In a nutshell, the VMWare Horizon Remote Desktop solution for virtual workstations used by many companies (including several we have worked with) is hilariously vulnerable to Log4J, to the point that it can be used to provide a remote shell at highest privileges to the windows host running the VMWare View program hosting Horizon. This is because VMWare Horizon runs atop Tomcat, a Java web application platform that uses Log4J for its logging system, meaning any and all applications running atop Tomcat are fundamentally vulnerable.
In the short term, this means that if you run VMWare Horizon and it’s accessible from the internet, it’s possible for attackers to use the VMWare View server running that application as a foothold to dive deeper into your network. Log4J attacks are very complex now, and fully automate the process of initiating the exploit all the way to creating a backdoor shell session that allows them total control of the machine. This can then be used to steal passwords and compromise accounts as a trusted machine on the inside of your network, and also be used as a starting point to move deeper into the network.
Firebug is great for detecting early stage lateral movement, so even though your VMWare View server is compromised, if the attackers try to start moving, we’ll pick them up.