WP REST API problem

Hi,

I started with disabling unauthorized REST API access, and everything was ok until the QUICC Cloud image optimalization service wants to call home to me when the job finished and the site can get a new batch of optimized images.
It didn’t worked because the QUICC cloud using public REST API to call home.
So I enabled the unauthorized REST API call, and then the QUICC services happily can call to home.
After a while I got a smart russian hacker which (I still don’t know how) impersonalized the admin, and called REST API with Insert User function and implant an admin in to the site. Thanks God I catch it very soon (after a 30 minutes of creating the user) and deleted it plus banned the whole ASN of the guy.

Can someone explains me how it is possible the create an admin user through the REST API without logging in?
The plugin audit log is saying the admin created a user successfully. I am the admin and I was not created the user nor using the REST API. The password is a random string managed by NordPass and the login form is filling out only through NordPass.
Now I am very concerned to leave open the REST API. But I needed it for the cloud services.
Can we restrict the REST API for an allow ip list only?

Best Regards