Our system had a large number of outgoing calls over the weekend, which I thought were related to the ARI exploit when I found them this morning. The FreePBX firewall and fail2ban are both active. The calls stopped after I changed the ARI account credentials and restarted the server this morning. They started again this afternoon.
Edited Post to remove log and some details.
I believe the server was set to provision some remote extensions over HTTP and the credentials were likely compromised.
Tightening up the firewall / provisioning setup and changing some port configurations and seeing if the problem returns.