I took only a brief look at the log so this is approximate:
Attacker called in and dialed 104 through IVR. Follow Me was enabled and the list included an external number “6026667777”. That was called and it answered after 26 seconds (probably went to voicemail). Attacker then was able to dial *2 (attended transfer) then *93 102 13172164903.
I believe that this is a FreePBX bug. With ‘Disallow transfer features for inbound callers’ turned on, this should not only disable transfers on the inbound leg, but the disable should be ‘inherited’ by any outbound legs spawned by the incoming call. I believe that this used to work and some recent changes in ‘local’ channel and Follow Me / Ring Group logic broke it. I don’t know whether updating all modules to current will fix the issue. If not, you should probably open a ticket.
But in any case, if you don’t use the ‘In-Call’ features listed in Admin -> Feature Code -> Core, disable them. Note that this does not affect SIP transfer (what the Transfer key on most IP phones and softphones does). Also, take a look in Advanced Settings at Asterisk Dial Options and Asterisk Outbound Trunk Dial Options; remove any that you don’t need. On my system, the former is ‘r’ and the latter is blank.
If you actually use DTMF transfer, e.g. you want someone working from home to be able to transfer calls that were forwarded to his mobile, include only the dial options needed (on the outbound trunk, t but not T). See https://wiki.asterisk.org/wiki/display/AST/Asterisk+13+Application_Dial .
Note that until you adjust the Dial Options and/or the In-Call features (or the bug gets fixed), an attacker could still use *2 to call out if his incoming call gets forwarded externally by whatever means. I see that his attempted call to India was rejected, though there is not enough info in the log to see why (I’m guessing that your International route is restricted to specific extensions or specific countries).