I can't help you with how they gained access to your system to upgrade to v9 but something similar happened to two systems I support. They did not gain access to my https or need my password.
I found the key vulnerability was when "auto-register" IP phones was enabled. The rogue devices are "auto-registering" to your system. If you look at the remote IP phone's IP address it's likely from India somewhere. I identified the rogue device because they registered with an NT3xx device which I have never sold, installed, or supported.
When you upgrade to version 9, the licenses for registering SIP/IP endpoints is eliminated. All ports are unlicensed and likely in the default state. If you have auto register enabled, any device wanting to connect has ports available to register to.
Countermeasure: 1. Disable "auto-register" for all SIP/IP devices. 2. Put any unused/unregistered port out of service.
Recommendations: Option 1: If you have port forwarding enabled, restrict the traffic to whitelisted external IPs only. 2. (BEST) Disable all port forwarding, put the system behind a VPN/firewall and have the remote devices connect using a basic VPN router from the far side.
In your case, I would strongly recommend putting your systems behind a VPN-capable firewall and only allowing remote connections via a VPN router on the far side. To continue supporting the system remotely, use the VPN as well.
Alternatively, use the very real increased security vulnerability of the dated technology to incentivize your customer to change to a more secure, updated system.
