Whomever the entity was that had their installation compromised violated a very standard rule of modern cyber security hygiene - NEVER, EVER, EVER allow an administrative interface to be exposed to the Internet.
Administrative access needs to be behind a VPN connection or at least a solid Multi Factor Authentication (MFA) setup for login. Both VPN + MFA is the preferred armor to your kingdom for any administrative credentials.
Tom
