The admin/admin password means that someone connected to the actual phone and started their shenanigans from there. The admin panel on the phone probably has an option to show the password, which in turn gives the attacker carte-blanche to make all the calls from all of their criminal buddies’ phones they want. Once the external 5060 from the router was turned off, the hole was closed, but if you open it up again, expect the same problems to occur.
From a purely administrative perspective, you should avoid putting your server and your phones in a network position to be accessed from outside the local LAN.