From the information they provided, qemu was configured to start a VNC service listening on all interfaces, and the compute node's IP address was exposed with that socket unfiltered. It sounds like attackers scanning for VNC servers on the Internet found it, rebooted the virtual machines via ctrl-alt-del and then rooted them by altering bootloader configuration to boot into a shell rather than init. Their evidence suggests the connections were directly to qemu, not via the Nova VNC proxy at all.
From the information they provided, qemu was configured to start a VNC service listening on all interfaces, and the compute node's IP address was exposed with that socket unfiltered. It sounds like attackers scanning for VNC servers on the Internet found it, rebooted the virtual machines via ctrl-alt-del and then rooted them by altering bootloader configuration to boot into a shell rather than init. Their evidence suggests the connections were directly to qemu, not via the Nova VNC proxy at all.