How to tighten the PBX security to get rid of fraud calls via compromised extensions

Most of our extensions got compromised, and there are enormous fraud international calls happening via our asterisk PBX. I tried blocking the source IPs in ip table, but it’s not stopping frauds completely. How to change the password of extensions (It is greyed out when I checked to edit). will changing passwd stop 100% fraud calls via those extensions? Any other way to tighten the security.
No firewall for our PBX.

Yeah, a firewall would tighten security. Step 1.

any other way to block the fraud calls?

Change your port, transport and password.

If you remain unable to change the password consider the box possibly compromised .