How did our phone system get hacked?

Our phone system is an IP phone system and got hacked in the Saturday midnight, for 77 attempts and 1,866 mins. The dialed location is Cayman Islands.
Our vendor checked and found the compromised extension's voice mailbox used the default password '0000'. Even so, I still don't understand how the hacker got in --
Did they get through our ASA and then into our LAN?
Did they hack to our file servers?
Can someone help me understand this please?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Do you allow forwarding out? I.e. What viice system do you use?
If your organization does not make international calls, make sure you disable international calling on the voice system.
The 0000 might allow a caller to forward their own call out or configure forward calls back out.

They all your number that then forwards the call back out to the number they configured.  They did not have to get through your Asa.

Does your system record CDR data which you could use to identify the origin of the call that was forwarded back out.

123456789 calls your number and your system connects them to the external number.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I'd say this was done by manipulating the URI in the SIP packets to make use of the ability to forward calls out instead of sending it to voicemail. That option is password protected with a default of 0000; they simply tried all extensions until they hit pay dirt.

It's basically the same as connecting your fully patched and up to date server on the internet with a password of 123456; even though the server is secure anyone will gain access within 10 tries.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Voice Over IP

From novice to tech pro — start learning today.