The most common vector for such an attack is for a SIP secret to leak or a successful brute force against a SIP account. Once they have the SIP secret, they can generate outbound calls. The other possibility is that your GUI was running an old version of framework from last year and was exposed to untrusted traffic, which you say is not the case.
You can search for spurious registrations with the following greps:
grep "Registered SIP" /var/log/asterisk/full*
grep "Added contact" /var/log/asterisk/full*