I'd argue that the right approach is to replace the ISP router with your own and disable uPnP, for your own security. Otherwise its only a matter of time before you see this again. You cannot count on having only trusted devices on your network.