Maybe it was home workers
Here's my theory:
An employee takes their unpatched Win 7 laptop home and connects via VPN.
Meanwhile their kid has been messing with the family router in order to get their MineCraft/multiplayer server working and has enabled an Allow All port forwarding rule.
Perhaps the Windows firewall is also disabled or it switched to a more relaxed domain profile when the VPN connected.
So the laptop is now infected by a port scan. It then proceeds to infect the employees mapped drives over VPN which are unpatched Win 2008 shares and from those to clients on the LAN.
Is this plausible? No need for the corporate firewall to have had SMB open. Perhaps the spread was even exacerbated by more people working at home on Fridays.