Someone has unauthorized access to our site, need help

Hello Folks, we are on cs-cart 4.7.3 and someone has found access to our site through a bug. How can we stop this?

At first log in the HelpDesk and install security updates

Then rename admin.php file and change all passwords

Then is it will be required to examine if malicious code was added to the core files